In June 2020, the web servers of Netsential based in Houston, TX was hacked resulting in the theft of roughly 270 gigabytes of information. The hacking group Distributed Denial of Secrets (DDoSecrets) published the stolen data on the web on June 19, 2020. “BlueLeaks” is the term used for this hacking and data leak incident. It involved 10 years of law enforcement information from about 200 fusion centers and police departments. Fusion centers collect and evaluate threat data and share the information with states, government agencies, and private sector companies. The leaked information included over 1 million lines and comprised scanned records, audio and video files, and email messages.
The State Fusion Center of South Dakota Department of Public Safety recently reported that it was likewise affected by the breach. The South Dakota Fusion Center used Netsential’s services to create a secure website in the spring of 2020. The website was created to help first responders identify COVID-19 positive persons so that they could take extra safety measures to avert infection when they respond to incidents. First responders do not directly get Information about COVID positive persons. They can contact a dispatcher who will confirm if a particular person was COVID-19 positive by checking a secure web portal.
The website hosted on Netsential’s secure web servers implemented proper security controls and allows access to a minimal number of HIPAA trained South Dakota officials only. There were security measures as well that make sure that in case an unauthorized person obtained access to the data file separately on the web portal, he could not access the health data of individuals.
Nonetheless, Netsential put labels to the file which accidentally granted access to the data of individuals in case the file is taken from Netsential’s systems. Hackers stole that file during the BlueLeaks attack and, due to failure of Netsential’s security, the hackers had access to the names, addresses, birth dates, and COVID-19 statuses of an unreported number of people. Notifications are now being sent to individuals impacted by the data leak.