As the FBI continues to investigate the hacking and stealing of documents from a Maine intelligence agency that revealed the personal information of alleged crime victims and suspects, the people affected by the breach likely have little recourse. But the hack should be a lesson for those in government charged with safeguarding sensitive data, said two cybersecurity experts.
“Protecting sensitive data has to be No. 1,” said Kevin Powers, founder and director of the Cybersecurity Policy and Governance Program at Boston College. That’s not just because the government should be serving the public but because it has to set an example, given that it’s responsible for holding companies and individuals accountable when they violate people’s privacy.
“At the government level, we’re supposed to be protecting information, and we’re telling others how they should protect information,” said Powers, who also spent a portion of his career at the U.S. Department of Justice.
While it’s not yet clear what, if any, consequences there will be for the Maine Information and Analysis Center, which is overseen by the Maine Department of Public Safety, it’s unlikely that the people named in the hack will see recompense. If suspects described in the files are charged with a crime, for instance, it’s unlikely they could use the hack to their advantage in court.
“While I do not like what is being done here by MIAC I don’t see any remedy for defendants here, nor do I see it as having an impact on the judicial process. The takeaway for me was that this was Big Brother stuff that made me, and anyone with concerns about privacy, very uncomfortable,” Walter McKee, a prominent Maine defense attorney, wrote in an email.
On June 19, the group Distributed Denial of Secrets published online 269 gigabytes of internal police documents that came from police departments across the country, including about 5 gigabytes of information from the Maine Information and Analysis Center, a so-called fusion center that collects, analyzes and shares intelligence between the federal government and state and local agencies. It also provides analytical support for crimes of a complex or statewide nature.
Called “BlueLeaks,” Distributed Denial of Secrets said the files came from the “hacktivist” group Anonymous, which is known for cyberattacks against governments, corporations and other institutions. The Maine-specific documents mainly show the center’s interactions with outside law enforcement agencies, including local, state and federal agencies’ requests for help on investigations in which they name potential suspects and provide sensitive details about alleged victims’ experiences.
read more coverage
For instance, the records show how the Caribou Police Department asked the fusion center for help unraveling the history of a named suspect who may have sent naked photos to a teenage girl. The Maine State Police sought information about the vehicles owned by a murder suspect; state police named and provided a date of birth and Social Security number for the suspect.
There are a number of questions the government should now answer, Powers said. “It’s really, what’s the next thing they’re going to do? How do they protect themselves better? And when they find out how it happened, what will they do so it never happens again?” he said.
There are several steps police should take, said Michael Cunniff, a Maine lawyer with cybersecurity expertise who previously worked as a federal drug agent. First, they have to assess what has been compromised.
“Once you’ve identified what has been compromised, you have to manage the damage: contacting witnesses, making adjustments to what’s been threatened by the information, assess policies to make sure what’s being collected is consistent with statute and the purpose of the agency, and then safeguard to make sure that type of breach should be prevented in the future,” Cunniff said.
The Maine Information and Analysis Center has been under fire recently, both as the subject of a whistleblower lawsuit from a state trooper who alleges it has been illegally spying on residents and as the subject of a June 24 legislative hearing where lawmakers questioned how it holds itself accountable or keeps Maine people safe.
Legislators’ questions continued in the days following news stories about the hack, which appears to have happened through the center’s website development vendor Netsential.
It’s common for hackers to target third-party vendors.
“You could have the best firewall and protections, but all it takes is the weakest link in a chain,” Powers said. “You have to be right all the time. The hackers have to be right once.”
Rep. Thom Harnett, D-Gardiner, a member of the Legislature’s judiciary committee, said he walked away from last week’s hearing still unsure about what kind of data the fusion center collects and what its employees do on a day-to-day basis. But after the breach, he said, it’s clear that whatever that data is, it’s not safe at the center.
“It was deeply troubling,” he said of the release.
He pointed specifically to one document he said detailed information about a young man who had previously stayed at the Long Creek Youth Development Center in South Portland. According to Harnett, the information simply noted the man was now living in a group home.
Not only did he see a risk for that person’s privacy, Harnett said it was unclear what good it did to keep tabs on him.
“How long does a mistake have to follow them around?” he said. “It’s almost as if people who enter the criminal justice system have a life sentence.”
When asked what Gov. Janet Mills’ administration will do to prevent such a hack from happening again, or how it might help the people affected, spokesperson Lindsay Crete said it “will continue to monitor the impacts of the breach, discuss its scope with Netsential, and work with the company to ensure that all information it possesses is secure.”
Netsential has told the Maine Department of Public Safety “that it has taken steps to secure the information it holds for Maine State Police as well as the more than 200 law enforcement and government agencies it serves across the United States,” Crete said. Meanwhile, the FBI is investigating.
If people are concerned that their private information has been compromised, they may read about how to protect themselves at maine.gov/ag/consumer/identity_theft/index.shtml, said Marc Malon, a spokesperson for the Maine attorney general’s office.
BDN reporter Caitlin Andrews contributed to this report.