Hackers Claimed to Breach a Police Vendor, Spilling Data Trove

ODIN Intelligence markets software to law enforcement agencies, but its operations are opaque. Its official address is a mailbox inside a UPS store. LinkedIn lists about a dozen employees, and ODIN's website contains only one sentence: “We help communities link homeless with resources; help protect citizens from child predators, and assist in locating missing persons.”

Last week, the company published a notice saying that a hacking group claimed to have broken into its networks and stole gigabytes of data. About the same time, hackers provided a trove of documents — purportedly from ODIN Intelligence — to the Distributed Denial of Secrets, a pro-transparency group.

A Bloomberg review of the leaked dataset offers what appears to be a fuller picture of the small firm's products and customers, as well as a glimpse into operations by the police agencies that use its products.

More than 150 local, state and federal agencies had ODIN user accounts, according to the database, which also contains thousands of records detailing police sweeps, notes about operational “targets” and users' credentials. For instance, the database includes details of a multiagency child pornography sting in California that logged dozens of suspects with their names, addresses and dates of birth.

The attack on ODIN — its website defaced in the same hack with the slogan “ACAB,” short for “All Cops Are B****rds” — brings renewed attention to the growing constellation of private firms that help law enforcement agencies do their jobs, selling everything from analytical software to drones and other surveillance equipment. “Unlike public officials, private actors are not democratically accountable to the public,” wrote Farhang Heydari, executive director of the Policing Project at NYU School of Law, in a 2021 paper.

New Mexico Probe

The probation office for New Mexico's federal courts is now investigating the breach, chief Ron Travers told Bloomberg this week. The leaked data shows his office had nearly a dozen users. Travers declined to elaborate on the probe or the office's use of ODIN's technology.

Initial details about the ODIN hack were reported earlier by Wired magazine.

ODIN was founded in 2021 by Erik McCauley, a former probation officer and forensic analyst in Orange County, California. Since then, his company's user base grew to include more than 150 sheriff's offices and police departments, such as the San Bernardino police, records from the leaked database show. ODIN is slated to be an exhibitor this year at the International Association of Chiefs of Police's annual conference.

In response to a list of written questions from Bloomberg, McCauley said: “ODIN Intelligence is a small company that develops software to help communities link homeless people with resources, protect children from offenders and locate missing persons. We are cooperating with law enforcement agencies and working with outside experts to investigate this matter.”

A representative for the San Bernardino police didn't respond to a message seeking comment. A spokesperson for the FBI, which is identified as another user in the database, declined to comment when asked about the bureau's aleged use of the technology and whether it was investigating the matter.

Coordinate Raids

ODIN's SweepWizard smartphone app lets police agencies coordinate raids. Another service, which tracks homeless people, was criticized last year after Vice News reported one of ODIN's brochures said homelessness can cause 'degradation of a city's culture.' Bloomberg's review of the leaked database found a small number of homeless individuals tagged in the system, along with their photos and other details.

The leaked records also appear to offer a glimpse into how officials perceive danger. ODIN users had logged mental health problems and depression as threats to officer safety, according to the database. “MH issues, Prior Navy” lists one entry in the database for an apparent sex offender. “Bi-POLAR,” writes another. “Transient” is the sole safety reason in two other instances, according to the leaked data.

Objectives for the operations vary, according to the leaked data. 'To catch pedos,' writes one officer, apparently tongue-in-cheek. Another is more direct: 'Demonstrate the ease of use of Sweep Wizard for Sex Offender Sweeps.' Much of the officers' writings were in the context of logging details about police raids.

A bulk of ODIN's clients are California police departments, according to the leaked database, which also reveals at least three federal agencies — the FBI, the US Marshals Service and the federal probation office in New Mexico — as registered users. The leaked data also appears to detail the cost of hiring ODIN: a yearly 'Gold' license costs several thousand dollars with a discount for a three-year 'Platinum' plan; some are given free trials. Private security firms, tribal agencies and a church also have logins, according to files contained in the leaked data.A representative for the Marshals Service didn't respond to an inquiry seeking comment.

‘Decided to Hack Them'

Previous reporting on the ODIN data trove found that it contained source code, police files and other material. The files also exposed biometric data, personal information and descriptions of people who might be present during a raid with no criminal histories, TechCrunch reported.

In a Jan. 17 letter from McCauley to the California attorney general's office, he said hackers claimed to gain access to ODIN's systems and stole 16 gigabytes' worth of data.

The intruders then turned the company's website into their own monochrome messaging platform, claiming that “all data and backups have been shredded.” They justified their attack based on recent reporting about ODIN's products and security vulnerabilities.

“And so,” they wrote, “we decided to hack them.”