Police Say No Evidence Of Value Was Lost In Ransomware Attack, Except Maybe Some Stuff Defense Lawyers Might Find Useful
from the all-good-on-THIS-side,-assume-same-for-others,-etc. dept
Ransomware is everywhere. And it's affecting everything, including critical systems. Sure, it's kind of humiliating to be locked out of your smart TV, but hospitals are being locked out of patient records and --in a new twist -- hotel guests are being locked out of their rooms.
Then there's something like this, where the chain of evidence is disrupted by ransomware purveyors.
The Cockrell Hill Police Department lost video evidence and a cache of digital documents after hackers invaded the department’s computer system last month.
Stephen Barlag, Cockrell Hill's police chief, said the incident was not the work of hackers, but acknowledged that the incident included a computer-generated ransom demand.
"This was not a hacking incident," Barlag said in a news release Wednesday evening. "No files or confidential information was breached or obtained by any outside parties."
[Rather entertaining to note WFAA's opening sentence is immediately contradicted by the Police Chief's statements. #journalism]
While it's reassuring no evidence was obtained by outside parties, it's not that much more reassuring to hear the owner of the data couldn't access it either. The PD consulted with the FBI before coming to conclusion that the files might still be inaccessible even if it did pay the $4,000 ransom.
The department, however, is not being all that upfront about the possible negative effect this might have on criminal defendants, who might want to challenge the evidence against them or look through it for anything exculpatory. The department -- despite admitting its backup was similarly infected -- claims this is no big deal.
Barlag said of the lost files, “none of this was critical information.”
Define "critical."
"Well, that depends on what side of the jail cell you're sitting," said J. Collin Beggs, a Dallas criminal defense lawyer who has a client charged in a Cockrell Hill felony evading case involving some of the lost video evidence.
This would be video evidence Beggs has been asking for since last summer -- well before the PD's files were wiped out by ransomware. It could be very critical information, despite Police Chief Barlag's assertion to the contrary. What's useful to a defendant is seldom viewed as useful by law enforcement. Hence the difference of opinion.
But even while stating nothing of (subjective) value was lost, Chief Barlag did admit there was a possibility that defense lawyers might be interested in finding out what evidence might no longer be available. And the department may not have made this loss public if it hadn't needed to speak to defendants about its inability to secure relevant evidence.
Barlag said he didn’t know how much of of the digital material lost was evidence in pending criminal cases, but acknowledged that some of it was. He said no cases have been dismissed that he knows of because of the losses.
Well… yet. The infection wasn't discovered until December 12th and the department didn't go public until more than a month after that. So, news that evidence needed in prosecutions may not be available has spread very slowly. And the details of what's recoverable makes it clear that the department values narrative over less-biased documentation. The police reports are retained in hard copy. Any recordings of incidents detailed in these reports are apparently backed up in a more haphazard fashion.
Some of the videos were backed up on CDs, but those that were not are lost.
No police reports, nor any criminal history information, was lost, Barlag said.
Comforting… for the police department. Not so much for criminal defendants, who are going to have an even harder time arguing against "our word vs. yours" assertions -- which cops can back up with police reports while giving defendants nothing at all to push back with.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cockrell hill police department, evidence, hack, police, ransomware, stephen barlag
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Is this the new way of losing inconvenient evidence?
[ link to this | view in thread ]
If you are handling sensitive evidence like this you should have a very secure system to do it and to safely store it (otherwise how can you prove chain of custody?).
[ link to this | view in thread ]
Adverse inference -- How convenient you lose all the exculpatory evidence!
What I don't get is why police (and the FOP) don't seem to need to convict criminals "by the book". All this sloppiness!
[ link to this | view in thread ]
"This was not a hacking incident" So it was caught by somebody looking at russian porn on a Police computer, probably during work hours. Nice to see taxpayer money well spent.
“none of this was critical information.” It wasn't drug money so who cares, besides defendants are guilty as soon as they're charged, no?
/s
[ link to this | view in thread ]
"No files or confidential information was breached"
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Erm...
Defendant: Theres a disagreement between what the defendant says and the police officer. As such, We need your Bodycam footage please
PD: Erm, we lost it all. Ransomware, Yes, Rensomware, that was it. Damn shame.
[ link to this | view in thread ]
Chain of Custody
Suffice to say, I'm glad I'm not the Department's IT staff or the prosecutor who is going to have to convince a judge that the evidence should be admitted.
[ link to this | view in thread ]
Easy equation to understand
Incriminating Evidence = HIGH value.
As only "Exonerating" evidence was lost, the statement is therefore true.
Q.E.D.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
The prosecutor may dismiss the case rather than deal with the headache but then they have to deal with the fallout over the police losing the evidence in the first place. The fact that the only evidence that was unrecoverable was evidence crucial to the defense speak volumes as to the shenanigans of the police department and offer a clue as to their motives.
The judge may even find that the evidence destroyed penalizes the client and violates his constitutional right to due process. The police department surely made backups of this evidence. I find it hard to believe they didn't back up this evidence, even if it was embarrassing to the department.
[ link to this | view in thread ]
You wouldn't have been arrested in the first place...
/s
[ link to this | view in thread ]
not lost, destroyed
[ link to this | view in thread ]
It's up to either the courts or the prosecutor to determine whether to dismiss a case. But, there's no penalty for it.
[ link to this | view in thread ]
I always thought the key might have been demagnetized by something on the park. I wonder now if some kind of malware could have screwed up the lock, as the office had to make a new key card for me next morning.
[ link to this | view in thread ]
Re:
Some departments were so secure I had to send them blind SQL statements to update their database which I could never view. These SQL statements would be, of course, gone over with a fine-toothed comb prior to execution. And you could never hook a computer up to their network. You had to use theirs with a secure remote desktop to your own machine that couldn't transfer files. If you wanted to deliver software, it had to be done in a prescribed way to be scanned first. And you had to have a background check first or you never even got to do any of that.
Others would beg us to come in on a remote desktop with a single shared password that never changed and that everyone who ever worked there knew. And they would just let us do anything we wanted with full admin rights, even though we were just contractors.
It was stunning how all or nothing it was.
[ link to this | view in thread ]
Re:
Per the article, they have backups, and those backups are likewise compromised (except for the backups written to CD, which apparently are not comprehensive). This leads to one of a few possibilities, none of them good:
[ link to this | view in thread ]
Re:
1. If your lock was infected, every other lock in the building would also be infected, since the likelihood of every lock being on a separate system with separate malware protection is infinitesimally small.
2. If the lock was infected with malware, making a new key card would have done exactly nothing.
[ link to this | view in thread ]
Re:
- Danny Hillis
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
rule #1
never ever is there 1 copy...
Original copy, computer copy, OFFSITE COPY....
PERIOD..NO IF, OR, AND, BUT, coulda/woulda/mighta///
[ link to this | view in thread ]
Seems simple enough
If hackers had access to the evidence then none of it should be admissible, as it's not possible to prove that it wasn't tampered with. While that's certainly a pain for the police and defense lawyers(more the former than the latter I'd imagine) it's their own damn fault for not keeping backup copies of such important data in multiple format beyond gorram CDs of some of the data.
Maybe having every single current case undermined will give them the incentive they need to practice better security and data backup going forward.
[ link to this | view in thread ]
Re: rule #1
[ link to this | view in thread ]