Hacktivists known as FocaLeaks claim to have hacked and exfiltrated data on 37,000 agents of Policía Nacional Civil de El Salvador (PNC). The information can allegedly be used to access government records on all citizens and to access criminal investigations. Ransomware attacks on police departments have made headlines a number of times over the past few years — especially the Babuk attack and dump of D.C. Police files that contained personnel information as well as alleged files concerning confidential informants. But while ransomware has been grabbing headlines, old-fashioned hacktivism is still a thing, as the recent incident involving Epik demonstrates.  And right now, the police force of El Salvador and the residents of that country appear to be at significant risk of exposure of personal and sensitive data. Datahacks.net was first made aware of the “FocaLeaks” operation by DDoSecrets.com, a site that serves as a non-profit transparency collective. Through them, Datahacks.net made contact with a spokesperson for FocaLeaks to get more information. All communications with FocaLeaks’ spokesperson were conducted in English. The hack has been previously reported in the media by David Bernal on La Prensa Gráfica on September 9. Who is FocaLeaks? FocaLeaks describes itself as the collaborative effort of individuals in Latin America and Europe. Their goal, according to their spokesperson, is to “exert pressure on governments with authoritarian and populist tendencies to destabilize their power and generate discontent among the population.”  While the FocaLeaks name is specific to activities involving El Salvador, the group claims to have access to various government systems, documents, and databases from other countries as well. “FocaLeaks” as an operation or group has been active for less than a month, and derives its name from a derisive term for the government and police of El Salvador used by the opposition or anti-government elements: “foca” means “seal.” When asked whether they engage in disruptive activities such as destroying databases, the spokesperson responded: Normally we obtain information from various sources, we store it and use it as an intelligence resource, we are not noisy, we do not cause damage to the infrastructure. It is not our purpose, we have been in their systems for years without problems. The spokesperson, who will be referred to here as “John Doe” (no relative of Dissent Doe, however), made a point of noting that FocaLeaks is not affiliated with any existing popular movement or political party.  Nor, Doe said, do they have any special grudge against the El Salvador police, “apart from lending themselves to illegal arrests like [Mario Gómez’s] — his arrest and seizure of devices was irregular and illegal.” Somos los que vamos a equilibrar la balanza de el poder. Hemos estado observando sus actos desde hace mucho tiempo, hemos visto sus pecados, los hemos pesado en la balanza y han sido hallados deficientes. El día que han decidido atropellar a Mario derramaron la gota que colmó el vaso. Tenemos acceso a diversos sistemas gubernamentales, documentos y bases de datos, aquí les dejamos nuestra primera muestra, si no desisten en su proceder vamos a hacer el mundo arder, nada estará oculto, somos la luz. Vamos a exponer información personal de cada miembro de las fuerzas armadas, policía nacional civil, políticos, no se escapará nadie. Somos una idea, la idea de que pensar diferente no es un crimen, controlar el flujo de la información si lo es. #LiberenaMario — Statement by FocaLeaks The Cyberattack on the El Salvador Police Doe would not provide specific details about their methods, only telling Datahacks.net that while in a police station, they had spotted keys and user information stuck on a wall. And that, Doe, says, was the beginning of it all. “Our team has exploited flaws in their mobile application to access or manage to dump the information, given its poor authentication, Doe told this site, adding, “You’d be surprised how little these people securitize (sic) their APIs.” The Data Dump DDoSecrets has made a redacted data set available to the public. Datahacks.net has decided to only provide one heavily redacted sample of the kinds of records in each of two files provided by FocaLeaks to this site. One set of data has records that look like this: ONI: [redacted] NOMBRE: [redacted] Datos policiales: [redacted] INTERPOL/DEPARTAMENTO BUSQUEDA INTERNACIONAL DE PERSONAS FUGITIVAS Y EXTRADICCIONES/RANGO:[redacted] TEL INSTITUCIONAL: [redacted] Usuario de Imperium: [redacted] DUI: [redacted] ESTADO: ACTIVO The other data set has records that look like this: {“id”:”[redacted]”,”oni”:”[redacted]”,”numero”:”[redacted]”,”Correo”:”[redacted]”,”upd”:”[redacted]”,”imei”:”[redacted]”, pin: “[redacted]” Data for the two sets agree. Without going into detail here, one data set contains the logins to the  Policía Nacional Civil de El Salvador (PNC) system. According to FocaLeaks, spoofing the IMEI allows someone to access a custom police app which can then be used to access a platform to obtain other data that will enable them to access the “Imperium” platform. Although Datahacks.net knows the names of the app and platform, they are not being named here. Doe provided us with screencaps taken from within the custom app and one of the platforms.  Doe also provided us with specific steps to follow to access Imperium. To protect the safety of others, we are not reporting those steps. We note that while Doe was able to provide us with screencaps from the custom app and a platform, there was no screencap provided from within “Imperium,” despite our request.  While that lack of proof is a bit concerning, we note that when we contacted the PNC, they did not deny the claimed hack. Their national security advisor was cc: on their statement, described more later in this post. According to Doe, the “Imperium” platform contains criminal investigations, but it also contains civil records that include the government’s information on every individual in the country, including their rank, telephone number, email address, license plate information, and identity documents. If FocaLeaks’ claim is accurate, then there is a significant security risk as IMEI numbers cannot be changed, and access to the Imperium platform could potentially be misused to find and retaliate against informants or others, or […]