EXCLUSIVE: One month later, some south Florida confidential records databases still not secured (UPDATED)

Almost one month after confidential records of thousands of south Florida law enforcement officials and judges was hacked and dumped online, some of the hacked databases are still not secured, the individual who claims to have hacked them tells DataBreaches.net.

Updated March 14: Dougan informs DataBreaches.net that the FBI just raided his house. More on this later. (here)

Original story:

On February 16, Jess Swanson of the Broward Palm Beach New Times broke the story of how a friend of a former Palm Beach Sheriff’s Office deputy, Mark Dougan, hacked a number of databases and dumped the data on PBSOTalk.com. The hack was reportedly in retaliation for how the sheriff’s office had retaliated against Dougan for his efforts to expose corruption in the department.

Dougan, who tells DataBreaches.net that problems escalated for him after he reported a fellow officer to Internal Affairs, eventually left the department, following what he alleges were numerous retaliatory acts against him. Some of the department’s alleged corruption and hacks of his accounts have been documented on a website he created, PBSOTalk.com, where he also describes his experiences working for the department. Dougan claims that despite repeated efforts on his part, no federal or state agency has agreed to investigate the wrong-doing and corruption in the department.

It was their alleged hacks of Dougan’s accounts, however, he claims, that led to him selling his web site to friends of his in Russia. Those friends, he say, are solely responsible for the hacks and data dumps. And they taunt the PBSO that the data dump will remain up and there’s nothing the PBSO or law enforcement in the U.S. can do about it, as they’re in Russia. A whois lookup indicates that PBSOTalk.com is registered by Alexey Drobyshev, and hosted by Digital Ocean. The site is administered under the forum name “БадВолф” (“BadWolf” or “BadVolf”).

On February 13, in discussing the leak, he wrote, in part:

This list is brought to you courtesy of your Sheriff, Ric Bradshaw. And your Michael Gauger and Detective Kenneth Lewis. They wish to hack so there has been hacking of our own. Many kinds we cant tell you about but we can give you this little list. This list came from your government {the Palm Beach County Property Appraiser’s Office}. In this we were able to hack their database and give all (about 4,000) records confidential to public so their privacy is no more important as the people they hack.

To be clear, DataBreaches.net has not independently investigated any of the claims of corruption made by Dougan, nor any of the counterclaims and arguments made by others in the forum thread announcing the leak. What this site did attempt to verify, however, is the hacks themselves. And that’s when things took an interesting turn.

DataBreaches.net reached out to to inquire exactly what databases the data dump came from and to ask for more details. Badvolf offered to demonstrate that they still had access. The following is a screencap from Badvolf’s access to pbcgov.com, taken yesterday morning (Eastern time). It was redacted by him to hide the username for login, but shows the domain name. DataBreaches.net has redacted the names of the home owners from the confidential property records. Other screencaps in this article were also redacted by DataBreaches.net to protect the names of individuals and their titles or positions. The unredacted screenshots revealed information on judges, police officers, and others in law enforcement.

Because the hackers still had access to pbcgov.com, DataBreaches.net attempted to notify the county through a contact form on their web site. Getting no response, four hours later, this blogger called their Information Systems department, eventually reaching Phil Davidson, Deputy Director of Information System Services for Palm Beach County.

When I explained why I was calling about the recent hack and to warn them that the hackers still had access, Davidson replied, “We don’t think that’s what happened.” I informed him that I could not reveal the method, but that I had proof of access taken hours earlier. He said they would look into it, and took my email address. I never heard back from him.

Today, Dougan informed me that he got a call from the FBI who would like to meet with him about the hacks. He informs me that he declined to meet them.

It is not only Palm Beach County’s server that is still unsecured, however, according to BadVolf, who claims to still have access to other counties’ or agencies’ servers. To prove that point, he provided screenshots, taken today, from Miami-Dade, Broward, Duval, and Leon counties. The latter two domains are for the clerk of court. Data from Duval, he tells me, had been acquired – and they still have access to it – but they had not dumped it publicly.

DataBreaches.net called Miami-Dade, Broward, and the two Clerks of the Court to alert them that they still had vulnerable servers. A voicemail was left for Duval.

So one month after they were hacked, the vulnerable servers of these agencies are still not secure. Worse, several of the people I spoke with did not know that they had been hacked in the first instance, erroneously thinking it was (just) the sheriff’s office that had been hacked or that it wasn’t their agency. Their confusion is somewhat understandable, as the original data dump simply named counties without being specific as to which agencies had been attacked.

“Tell them we give them sporting chance to find security flaw,” Badvolf told DataBreaches.net. “If they do this they will have diverted problem. It is like game. All of it. Our intentions not to destroy or else we could have wiped system.”

I doubt those whose confidential information has been exposed will view this as a game, and they may well be furious with these agencies that one month after the original hack was revealed, their data remain at risk of other attacks from the same or other individuals. But if the agencies didn’t realize that the data came from or through them, well, that may explain whey it hasn’t been secured already.

By all accounts, this was a retaliatory attack by someone who tells me, “You understand I am not hacker by trade yes? This is only to stop assault on great friend.” That may be so, but what if criminals with other motives were to access those servers? Or what if they were to find and use the data that has already been dumped? What then?

This was a dangerous leak, and if someone who isn’t a “hacker by trade” found it easy to acquire the data, the responsible parties really need to up their security.

Update: I received a photo, allegedly taken in Moscow. Mark Dougan is in a suit with a gold tie, and “BadVolf” is the young man on the right, waving.

Dougan, noting my mention of Digital Ocean in the story, also called my attention to this article on how to hide a server.