Full Report
The Department of Homeland Security collected data on Chicago residents accused of gang ties to test if police files could feed an FBI watchlist. Months passed before anyone noticed it wasn’t deleted.
Analysis Summary
# Incident Report: Unauthorized Retention of Chicago Police Data by DHS
## Executive Summary
The Department of Homeland Security (DHS) conducted an internal experiment to test if Chicago Police Department (CPD) gang-related data could feed an FBI watchlist. This unauthorized data retention exercise, which began reportedly in the Summer of 2021, persisted for approximately seven months past the mandated deletion date due to systemic mismanagement and failure of oversight processes. The retention of this sensitive, error-prone local data on federal servers ultimately breached rules designed to prevent domestic intelligence targeting of U.S. residents.
## Incident Details
- **Discovery Date:** November 21, 2023 (When DHS officers finally deleted the data and a formal report was created acknowledging the breach/lapse).
- **Incident Date:** The data collection/transfer began around Summer 2021 (when requested by a field officer) and was on the server by approximately April 2022. The retention period lasted for roughly seven months past the intended deletion deadline.
- **Affected Organization:** Department of Homeland Security (Office of Intelligence & Analysis - I&A), with data originating from the Chicago Police Department (CPD).
- **Sector:** Government/Law Enforcement/Intelligence Overlay.
- **Geography:** Chicago, IL (Data Source) and Federal DHS Servers (Storage).
## Timeline of Events
### Initial Access
- **Date/Time:** Summer 2021.
- **Vector:** Authorized (internal) data collection/transfer based on a pilot project request by a DHS I&A field officer, leveraging a private exchange mechanism with CPD.
- **Details:** DHS I&A sought CPD data on alleged gang members (initially ~900 residents) to test integration into federal watchlists, bypassing local sanctuary policies.
### Lateral Movement
- **Date/Time:** Around April 2022.
- **Vector:** Not applicable (Internal transfer/storage, not external compromise).
- **Details:** The data landed on the DHS I&A server. The field officer who initiated the transfer had left their post, contributing to loss of oversight. **Note:** The structure of the data transfer appears to be a procedural failure rather than a malicious lateral movement in a traditional sense.
### Data Exfiltration/Impact
- **Date/Time:** Data remained stored until November 21, 2023.
- **Impact:** Approximately 800 files were retained past the deletion deadline, breaching domestic intelligence rules. The retention potentially allowed sensitive, error-ridden local data (including inaccurate gang designations lacking arrest/conviction evidence) to be processed federally, subverting local privacy/sanctuary rules.
### Detection & Response
- **Date/Time:** November 21, 2023.
- **Detection:** The lapse was noticed months after the required deletion date.
- **Response actions taken:** The DHS I&A project was killed, and the dataset was formally deleted. The event was memorialized in a formal internal report following inquiries (partially driven by FOIA requests).
## Attack Methodology
Since this was an internal procedural failure, traditional attack vectors like exploitation or external access do not strictly apply. The methodology centers on process circumvention and failure:
| Category | Methodology Used |
| :--- | :--- |
| **Initial Access** | Internal, authorized data transfer request bypassing expected safeguards. |
| **Persistence** | Procedural negligence: Failure to file required audits, missed deletion deadlines, and lack of ownership clarity after the initiating officer departed. |
| **Privilege Escalation** | N/A - Internal data access was granted via role/authorization, not exploited privilege escalation. |
| **Defense Evasion** | Circumvention of firewall/control systems through interpretation of an intelligence "workaround" structure designed to bypass local sanctuary laws. |
| **Credential Access** | N/A |
| **Discovery** | N/A (Data was explicitly requested) |
| **Lateral Movement** | N/A (Procedural movement from local to federal server) |
| **Collection** | Collection of highly sensitive, potentially inaccurate, local law enforcement data marked by subjective and discriminatory entries (e.g., occupations listed as "SCUM BAG"). |
| **Exfiltration** | N/A (Data was retained internally, not exfiltrated externally). |
| **Impact** | Violation of domestic intelligence rules and potential unwarranted surveillance/impact on legal status of U.S. residents. |
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Approximately 800 records involving Chicago residents accused of gang ties. Data quality was highly suspect, containing non-verifiable or discriminatory information.
- **Operational:** Collapse of the internal DHS experiment/pilot project due to procedural failures. Established that DHS I&A was used as a mechanism to circumvent local law enforcement data sharing rules.
- **Reputational:** Significant reputational harm due to revelations that an intelligence oversight body's deletion order was ignored for months, violating rules against domestic espionage targeting.
## Indicators of Compromise
(As this was an internal process failure, traditional IoCs are not applicable. The indicators relate to procedural compliance.)
- **Network Indicators:** N/A (Internal server connection).
- **File Indicators:** Specific dataset containing CPD gang affiliation records transmitted from local channels to DHS I&A servers.
- **Behavioral Indicators:** Staff failure to enforce mandatory data deletion directives; lack of filing required audits; inadequate project tracking after personnel turnover.
## Response Actions
- **Containment Measures:** The project was terminated in November 2023.
- **Eradication Steps:** The retained dataset (nearly 800 files) was permanently deleted from the federal server.
- **Recovery Actions:** A formal internal report was generated documenting the lapse to address the procedural breach.
## Lessons Learned
- The system designed to keep intelligence focus external (foreign threats) failed when applied internally against U.S. residents due to procedural lapses.
- The data transfer structure provided a clear mechanism for federal agencies to circumvent local jurisdictional protections (sanctuary laws).
- Personnel turnover without proper knowledge transfer led to critical security/compliance obligations (data deletion) being overlooked for months.
- The inherent poor quality and subjectivity of the source data (CPD gang database) amplified the risk of federal errors and biases when ingested.
## Recommendations
- Implement mandatory, automated audit trails for all non-standard or temporary data storage projects, particularly those collected under experimental intelligence mandates.
- Institute mandatory, immediate transfer of responsibility (including active deletion tracking) upon personnel departure for any system holding sensitive PII/non-public data.
- Review and close loopholes that allow federal intelligence operations to indirectly ingest data that source jurisdictions have placed restrictions upon (e.g., sanctuary policy carve-outs).
- Prioritize data integrity checks *before* ingesting data from legacy or locally questionable sources into federal systems.