Recovering the personal information of 20,000 FBI employees and 9,000 DHS employees is hard.
Earlier this week, a hacker dumped the apparent names, job positions, email addresses, and phone numbers of over 20,000 supposed Federal Bureau of Investigation employees (FBI), and over 9,000 alleged Department of Homeland Security (DHS) workers. Now, the FBI is trying to scrub that breached data from the face of the internet, no matter how futile that might be.
The data has made its way across the web from pastebin-style sites, over to less likely hosts. The hacked employee details were uploaded to Indybay, a San Francisco community news-site, for example, on February 8.
"This morning, the data stolen from the Department of Justice [...] was posted to your site," an email from Supervisory Special Agent Ricky Alwine to Indybay reads. "Please remove these posts as quickly as possible," Alwine's email continues. "We will follow-up with any legal process you require."
Indybay complied and took the hacked data down, replacing it with the text of the FBI email, a volunteer calling himself David confirmed to Motherboard in an email.
"The Indybay editorial collective will be posting a statement on the matter by tomorrow," he wrote.
Alwine, when asked about his take-down request, told Motherboard in a phone call, "I'm sorry, I cannot comment." The FBI's press department did not provide a response in time for publication.
"Sensitive Information Leaked on your site."
On Sunday, before the databases were dumped, Motherboard obtained a cache of the data and confirmed that many of the numbers and names were legitimate. At one point, Motherboard reached the operations centre of the FBI.
The hacker behind the breach claimed that it all started after he compromised a Department of Justice (DoJ) email account. (The hacker used this email account to contact this reporter around a week earlier). He then tried logging into a DoJ web portal, but when he wasn't able to, phoned the relevant department.
"So I called up, told them I was new and I didn't understand how to get past [the portal]," the hacker told Motherboard. "They asked if I had a token code, I said no, they said that's fine—just use our one." From here, he clicked a link to a personal computer, which led to an online virtual machine, from which he was presented with three different computers to access.
After the breach became public, government officials downplayed the seriousness of the hack, with a DHS spokesperson telling Motherboard that "there is no indication at this time that there is any breach of sensitive or personally identifiable information."
Apparently, the FBI agent who sent the take-down request does not agree: the subject header of his email reads "Sensitive Information Leaked on your site."
On top of this, the site that originally hosted the dumped data has had some technical difficulties, reports The Daily Dot, with visitors being unable to easily connect. An FBI spokesperson would neither confirm nor deny any law enforcement involvement with the site.
In a similar way to how companies attempt to remove private data from the internet once it has been dumped, the FBI is, at best, engaged in damage control at the moment, while at worst is playing an ultimately pointless game: the names and contact details of tens of thousands of government employees have already been downloaded plenty of times. Scrubbing those details from a few websites is unlikely to make the data disappear for good.