Amidst national protests against police brutality spurred by the police murder of George Floyd, hundreds of University of New Mexico Police Department files were leaked in what is reportedly the largest hack of United States law enforcement agencies. Notably, UNMPD appears to be the only university police department included in the leak.
It’s now been over three months since the hacked files were published with no public action from the University.
Responding to a request from the Daily Lobo, UNM said they were unaware that private information — like home addresses and driver’s license numbers collected for police reports — was made public.
Referred to as “BlueLeaks,” files from over 200 law enforcement agencies were published by a group known as Distributed Denial of Secrets (DDOS) on June 19, the Juneteenth holiday. The files came from the hacking group Anonymous, according to DDOS founder Emma Best.
"It's the largest published hack of American law enforcement agencies," Best told Wired. "It provides the closest inside look at the state, local and federal agencies tasked with protecting the public, including (the) government response to COVID and the BLM protests."
Two data sets from the University were leaked — files related to UNMPD investigations and information gathered under the Clery Act, which aims to provide transparency around campus crime.
Over a week after the files were made public, UNM Clery Act compliance officer Robert Burford informed UNM’s Office of Equal Opportunity director Francie Cordova, information security officer Jeff Gassaway and UNMPD commanders James Madrid and Timothy Stump about the leak in a series of emails obtained under the Freedom of Information Act and published on Internet Archive.
In his initial email, with a subject line reading “Breach of Mostly Publishable Information,” Burford wrote that no private information collected under the Clery Act was made public, adding that he didn’t know “what is on that server from UNMPD’s standpoint.”
Private information collected by UNMPD was indeed leaked. One file, which appears to be an intake form for lost or stolen bicycles, includes people’s home addresses, personal phone numbers and driver’s license numbers.
When asked by the Daily Lobo if UNM had notified people whose private information was leaked, University spokesperson Cinnamon Blair said, “We were not aware that the specific files you referenced were publicly available, and are now conducting a comprehensive review of that data, and will take the appropriate steps to notify any affected individuals.”
Under the state’s Data Breach Notification Act, individuals must be notified within 45 days — a deadline that has long passed — of the discovery of a breach of personal identifying information. It’s unclear how the law applies to a public entity like UNM, as well as what the University’s liability for the leak may be.
Later in the email thread, Burford wrote that he’d been in contact with Karen Fischer, who alerted Burford of the leak on June 30, a day after Burford’s first email. Fischer previously worked as a “strategic support division manager” for the Albuquerque Police Department, according to Albuquerque Business First.
UNMPD Commander Madrid identified Fischer as the University’s main point of contact for Netsential, a web development company that stored the files of all the agencies included in the leak. The company confirmed that its servers were compromised in a statement on its website.
“If you search on Netsential security breach in Google, you can find out a lot more about what happened,” Fischer wrote in a June 30 email to Burford and Stump. “I just did and it seems like there are many PDs, fusion centers (collaborations between federal agencies and state and local police departments), and other LE (law enforcement) entities that have quite a bit of very sensitive info that has been compromised, and have a significant concern over the breach.”
UNM decided in 2013 to use Netsential to store UNMPD data because the company “specializes in web and data services specific to the needs of a police department,” according to Blair, who confirmed that UNMPD is still using Netsential to store its data.
The Intercept, meanwhile, has reported on the vulnerabilities of Netsential and how it “may have been easy to hack.”
“...Unless Netsential has fixed these potential vulnerabilities since the BlueLeaks data was made public and pushed updates to all of the websites still running its code, it’s likely that these law enforcement websites, including major police fusion centers in use today, are still vulnerable…,” an Intercept report reads.
Fischer — UNMPD’s main point of contact for Netsential — was one of the founders of the Albuquerque Retail Assets Protection Association, an APD anti-crime program created in 2006 that has grown into “a significant private sector intelligence and data-gathering operation conducted on behalf of police,” according to AbolishAPD, a local group that does research on policing.
Leaked documents “demonstrate that APD has not only privatized information and intelligence gathering but has also shifted the authority to determine policing priorities to the private sector,” the AbolishAPD report states.
Fischer has been a consultant for UNM since 2013 — the same year UNMPD started using Netsential to store its data — and continues to “provide services to maintain and update UNMPD’s website,” according to Blair.
One of the leaked files from the University is a list of registered campus security authorities, who are “required to report Clery Act qualifying crimes which occurred on campus, in public areas bordering campus and in certain non-campus buildings owned or controlled by the University.”
Fischer is listed as an “administrative” campus security authority.
David Correia, a researcher of policing currently publishing work under AbolishAPD, said that Fischer’s status as a campus security authority “suggests that Fischer, the person at the center of an enormous and possibly illegal surveillance operation at APD, served in some official UNM capacity with authority over students.”
As of the publication of this article, Fischer hasn’t responded to multiple requests for comment.
Now, over three months after the BlueLeaks hack, UNM has yet to publicly address the leak that exposed the private information of hundreds of people.
Bella Davis is a senior reporter at the Daily Lobo. She can be contacted at firstname.lastname@example.org or on Twitter @bladvs