DHS Deletes Compromised Chicago Police Data Amid Oversight Failures
On November 21, 2023, field intelligence officers from the Department of Homeland Security (DHS) deleted a significant volume of records from the Chicago Police Department (CPD), but this deletion was far from routine. The data in question, which concerned about 900 residents of the Chicagoland area, had been improperly stored on a federal server for seven months, violating a deletion order from an intelligence oversight board.
An internal investigation revealed that nearly 800 files had been retained in breach of regulations intended to prevent domestic intelligence operations from unlawfully targeting U.S. citizens. This dataset stemmed from a private interaction between DHS analysts and the CPD, intended to examine the potential for local intelligence to inform federal watchlists. The initiative aimed to identify undocumented gang members at critical transport points like airports and border crossings but ultimately fell apart due to a series of mismanagement and oversight failures.
Memorandums obtained reveal that in the summer of 2021, a DHS field officer initiated a request for data on Chicago’s notorious gang database, which was already criticized for its inaccuracy and inconsistencies. Inspections highlighted that police could not confirm the reliability of the data, with some entries indicating individuals born before 1901 and others as infants. Furthermore, police records included derogatory labels such as “SCUM BAG” and “TURD,” showcasing a troubling disregard for accuracy and respect in data management.
These questionable designations of gang membership were utilized by prosecutors and law enforcement in both investigations and legal proceedings, particularly impacting immigrants. Although Chicago has sanctuary policies limiting data sharing with immigration authorities, exceptions for “known gang members” effectively created an avenue for federal access. Over a decade, immigration officers reportedly accessed this flawed data over 32,000 times.
According to the memos, what began as a limited data-sharing experiment devolved into a series of procedural lapses without a defined owner, allowing legal protections to be overlooked. By the time the records reached the DHS’s Office of Intelligence & Analysis (I&A) in April 2022, the initiating officer had departed. The project ultimately failed due to bureaucratic issues, including missing signatures and unrecorded audits, leading to an unnoticed deadline for deletion.
As a response to the improper handling of sensitive information, I&A terminated the project in late November 2023, erasing the dataset and documenting the breach in a formal report. The incident raises serious concerns regarding how federal intelligence operations can circumvent local sanctuary laws. It reflects a significant gap in oversight that could enable federal officers to exploit data designed for public safety, thus undermining resident protections.
In terms of cybersecurity implications, this breach highlights several relevant tactics outlined in the MITRE ATT&CK framework. Initial access may have been achieved through a lack of established protocols, while persistence could be indicated by the extended retention of the data against established guidelines. The failure in privilege escalation is evident as responsibilities became unclear, allowing sensitive information to remain accessible without proper oversight.
This incident serves as a critical reminder for business owners and cybersecurity professionals of the importance of data integrity and oversight. It underscores the need for robust policies that ensure compliance with legal protections, especially in sensitive situations involving local and federal data exchanges.
