Incident: Data Breach at Fraternal Order of Police Website due to Software Errors

Published Date: 2016-01-28

Postmortem Analysis
Timeline 1. The software failure incident happened when the hacker breached the website of the Fraternal Order of Police (FOP) and posted private files online, as reported in Article 39631. 2. Published on 2016-01-28 08:00:00+00:00. 3. The incident likely occurred around January 2016.
System The software failure incident mentioned in the article involved a breach of the Fraternal Order of Police's website, resulting in the leak of sensitive information. The systems that failed in this incident were: 1. Website security system: The website's security system failed to prevent the hacker from breaching the system and accessing sensitive data [39631]. 2. Encryption system: The encryption system accepted a pseudo-encryption key that it should not have, indicating a failure in the encryption mechanism [39631].
Responsible Organization 1. The software failure incident was caused by a hacker who breached the website of the Fraternal Order of Police (FOP) and leaked private files, including forum posts and contracts [39631].
Impacted Organization 1. The Fraternal Order of Police (FOP) - private files, forum posts, and contracts were leaked due to the software failure incident [39631].
Software Causes 1. The software error that allowed the breach was the acceptance of a pseudo-encryption key that the system should not have accepted, leading to the hack [39631].
Non-software Causes 1. The breach occurred due to a hacker gaining unauthorized access to the website of the Fraternal Order of Police (FOP) [39631]. 2. The hacker was able to feed the system a pseudo-encryption key that the system should not have accepted due to software errors [39631]. 3. The hack was traced back to an IP address in the UK [39631]. 4. The hacker released the files after receiving them from a source who wished to remain anonymous and wanted them made public [39631].
Impacts 1. Private files belonging to America’s biggest police union, including sensitive information such as names and addresses of officers, forum posts critical of political figures, and controversial contracts made with city authorities, were exposed online [39631]. 2. The breach led to the leaking of threads from the FOP’s members-only online forum, revealing officers' discontent and criticism towards political figures like Barack Obama and Sonia Sotomayor [39631]. 3. The hack exposed hundreds of contracts between regional authorities and local fraternal order of police lodges, some of which have been criticized for shielding police officers from disciplinary action following the excessive use of force [39631].
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and intrusion detection systems could have potentially prevented the hack [39631]. 2. Ensuring that software systems have proper input validation mechanisms to prevent unauthorized access through techniques like SQL injection or feeding pseudo-encryption keys [39631]. 3. Conducting thorough code reviews and testing to identify and fix software errors that could lead to vulnerabilities exploited by hackers [39631]. 4. Educating staff and members on cybersecurity best practices, including strong password policies, avoiding phishing attempts, and being cautious with sharing sensitive information online [39631].
Fixes 1. Implementing stricter security measures such as multi-factor authentication and regular security audits to prevent future breaches [39631]. 2. Conducting thorough software testing to identify and fix vulnerabilities that allowed the system to accept a pseudo-encryption key it should not have accepted [39631]. 3. Enhancing data encryption protocols to ensure that sensitive information is adequately protected [39631].
References 1. Chuck Canterbury, the FOP’s national president [39631] 2. Cthulhu, the individual claiming responsibility for the hack [39631]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident related to the breach of the Fraternal Order of Police (FOP) website has not been reported to have happened again within the same organization [39631]. (b) The software failure incident related to the breach of the FOP website has not been reported to have happened again at other organizations or with their products and services [39631].
Phase (Design/Operation) design (a) The software failure incident in this case was attributed to a design flaw. The breach of the Fraternal Order of Police's website and subsequent leak of sensitive information, including private files and forum posts, was due to a pseudo-encryption key being fed into the system that it should not have accepted but did because of software errors introduced during the system development phase [39631]. (b) There is no specific information in the provided article indicating that the software failure incident was due to factors introduced by the operation or misuse of the system.
Boundary (Internal/External) within_system, outside_system (a) The software failure incident in this case was within the system. The breach of the Fraternal Order of Police's website and the subsequent leak of sensitive data, including private forum posts and contracts, was attributed to software errors within the system. The FOP president, Chuck Canterbury, mentioned that the hack had been traced to an IP address in the UK, and the hackers were able to exploit a software error by feeding the system a pseudo-encryption key that it should not have accepted [39631]. Additionally, Canterbury stated that the FOP had called in security contractors to investigate the breach, indicating that the focus was on addressing the software vulnerabilities within their system that allowed the hack to occur [39631].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurred due to non-human actions, specifically a hacker breaching the website of the Fraternal Order of Police (FOP) and dumping 2.5GB of data online [39631]. The hacker was able to feed the system a pseudo-encryption key that the system should not have accepted but did due to software errors. This non-human action led to the breach and subsequent leak of sensitive information [39631]. (b) Human actions also played a role in the software failure incident. The leaked data included forum posts critical of Barack Obama, Sonia Sotomayor, and others made by FOP members. Additionally, the FOP president mentioned that steps were being taken to notify members about the breach, indicating human actions in response to the incident [39631].
Dimension (Hardware/Software) hardware (a) The software failure incident occurred due to hardware issues as mentioned in the article. The breach of the Fraternal Order of Police's website was attributed to a hacker who was able to feed the system a pseudo-encryption key that the system should not have accepted but did due to hardware errors [39631].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. The failure occurred due to a hacker breaching the website of the Fraternal Order of Police (FOP) and posting private files online, including sensitive information about officers, forum posts critical of political figures, and controversial contracts [39631]. The hacker was able to exploit software errors by feeding the system a pseudo-encryption key that it should not have accepted, leading to the data breach [39631]. (b) There is no indication in the articles that the software failure incident was non-malicious.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions [a] The software failure incident in this case was attributed to poor decisions made in the system's design and implementation. The FOP president mentioned that the hack was possible because the system accepted a pseudo-encryption key that it should not have accepted due to software errors. This indicates that the software's design allowed for vulnerabilities that were exploited by the hackers, leading to the breach of sensitive data [39631]. [b] Additionally, the incident also involved accidental decisions or mistakes in the system's security measures. The fact that the system accepted an encryption key it should not have indicates a flaw in the software's validation process, which could be considered an unintended decision or mistake that contributed to the failure [39631].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident in this case was attributed to development incompetence. The breach of the Fraternal Order of Police (FOP) website was due to a hacker who was able to exploit software errors. The FOP president mentioned that the hack occurred because the system accepted a pseudo-encryption key that it should not have accepted due to software errors [39631]. (b) The accidental aspect of the software failure incident is not explicitly mentioned in the provided article.
Duration temporary The software failure incident mentioned in the article was temporary. The breach occurred due to a hacker feeding the system a pseudo-encryption key that the system should not have accepted but did due to software errors. The breach led to the leaking of private files and forum posts from the Fraternal Order of Police's website [39631].
Behaviour crash, omission, value, other (a) crash: The software failure incident in this case resulted in a crash as the FOP's national site, fop.net, remained offline after the hack [39631]. (b) omission: The software failure incident also involved omission as some names and addresses were taken, causing concern for the FOP as they needed time to notify their members about the breach [39631]. (d) value: The software failure incident can be attributed to a value failure as the system accepted a pseudo-encryption key that it should not have, leading to the breach [39631]. (f) other: The software failure incident also exhibited other behaviors such as allowing the hack to occur due to software errors that enabled the system to accept the pseudo-encryption key [39631].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the breach of the Fraternal Order of Police's website resulted in the exposure of private files belonging to the police union, including sensitive information such as the names and addresses of officers, forum posts critical of public figures, and controversial contracts made with city authorities [39631]. This breach led to the leaking of 2.5GB of data, which was then shared online, potentially exposing personal and confidential information of the union's members [39631]. Additionally, the incident involved the leaking of threads from the FOP's members-only online forum, which contained discussions critical of public figures like Barack Obama and Sonia Sotomayor [39631]. The breach was attributed to software errors that allowed the hackers to feed the system a pseudo-encryption key that it should not have accepted, leading to the unauthorized access and leak of sensitive data [39631].
Domain information, finance, government (a) The failed system in this incident was related to the industry of information. The software failure incident involved a hack on the website of the Fraternal Order of Police (FOP), resulting in the exposure of private files, forum posts, and controversial contracts online [39631]. The breach led to the leaking of sensitive information such as names, addresses of officers, and forum discussions critical of political figures like Barack Obama and Sonia Sotomayor. (h) Additionally, the incident involved financial details and personal information of the FOP members being compromised, prompting the FOP to take steps to notify their members about the breach [39631]. (l) The government sector was also impacted by this software failure incident as the leaked data included contracts between regional authorities and local fraternal order of police lodges, some of which were criticized for shielding police officers from disciplinary actions following the excessive use of force [39631].

Sources

Back to List