On June 23, 2011, the hacktivist collective LulzSec released 700 confidential documents from Arizona Department of Public Safety internal servers, including case files, phone numbers, and home addresses of officers. A second release on June 29 added passwords, Social Security numbers, online dating accounts, voicemails, and chat logs. The group framed the breach as retaliation for Arizona SB 1070.
What happened
On June 23, 2011, the hacktivist collective LulzSec released a 440MB archive titled 'Chinga La Migra' containing approximately 700 internal documents from Arizona Department of Public Safety servers. The dump included case files, intelligence bulletins, training manuals, officer phone numbers, and officer home addresses. A second release followed on June 29, 2011, adding passwords, Social Security numbers, online dating account credentials, voicemails, and personal chat logs of named officers. LulzSec stated the breach was retaliation for Arizona SB 1070, the state's 2010 immigration enforcement law. The Arizona DPS confirmed the breach was authentic. The dump was hosted on file-sharing sites and remained widely available for years afterward. Several LulzSec members were later identified, arrested, and prosecuted in unrelated federal cases.
What happened
On June 23, 2011, the hacktivist collective LulzSec posted a 440MB archive titled "Chinga La Migra" containing about 700 internal documents from Arizona Department of Public Safety servers. The release included case files, intelligence bulletins, training manuals, officer phone numbers, and officer home addresses.
A second dump followed on June 29. That one added passwords, Social Security numbers, online dating account credentials, voicemails, and personal chat logs tied to named officers and their families. The Arizona DPS confirmed the breach was authentic. Coverage from WIRED, NBC News, and The Guardian ran the same week.
The archive was hosted on file-sharing networks. It remained widely available for years.
How it started
LulzSec framed the breach as political retaliation. The group's release notes named Arizona SB 1070, the state's 2010 immigration enforcement law, as the reason for the attack. The collective ran a roughly 50-day campaign in mid-2011 that targeted Sony, the U.S. Senate website, the CIA public-facing site, and several other government and corporate systems. Arizona DPS was one of the largest law enforcement agency breaches in that run.
The breach itself ran through the agency's external-facing systems and pivoted to internal document stores. The data that ended up in the dump was data the agency had collected for internal use, the kind of file an officer assumes lives behind a login.
Several LulzSec participants were identified, arrested, and prosecuted in later federal cases. The dump itself was never recalled.
Why this case matters
This is the precedent. The first mass-scale law enforcement doxxing in the United States. Everything that followed, the Ferguson dumps in 2014, the Anonymous campaigns through the late 2010s, the ICE List releases in 2025 and 2026, traces back to the template LulzSec wrote in June 2011. Hacktivist collective. Internal data. Mass dump. Political framing.
The 14-year retrospective is the part worth sitting with. In 2011, hackers had to commit federal crimes to publish 700 officer home addresses. They went to prison for it.
By 2026 the same exposure profile is available on a public broker page. Name in. Address out. No login. No felony. Just a credit card.
The threat surface widened. The criminal cost dropped to zero. The federal computer-fraud statute has nothing to say about a people-search company that legally compiles the same address from voter rolls and property records.
What this means for you
If you're on the job in any sworn capacity, the Arizona DPS dump is the case to point at when someone tells you the broker layer is just a marketing nuisance. The kind of file that took a hacktivist collective to publish in 2011 is the kind of file that's already published, by paid services, today.
Daniel's Law in NJ and the Lieu Act for federal judges work because they treat the broker page as the modern version of the LulzSec dump. Same data. Same exposure. Different distribution channel.
For the broader threat shape and the modern parallels, see /doxxing and the ICE List leak for what the same template looks like in 2026.
Editorial rules: Only public, already-reported incidents. Never name a non-public victim. Always end with the prevention takeaway tied to our service. Cite at minimum one public source per claim.
What would have prevented this
In 2011, LulzSec had to break into a state agency's internal servers to publish 700 officer home addresses. By 2026, most of that same exposure is sitting on commercial broker pages, available to anyone with a credit card and no felony required. The data layer that LulzSec attacked was internal-only, the kind of file an officer would have assumed was protected. The lookup that replaces it today is public-facing by design. The criminal cost has dropped to zero. The exposure has gotten wider. Continuous broker removal is the part that closes the modern version of the same lookup.
Public sources
- Lulz Security Hacks Arizona Police — WIRED, 2011-06-24
- Hacker group LulzSec releases data from Arizona police — NBC News, 2011-06-24
- LulzSec releases Arizona law enforcement data — The Guardian, 2011-06-24
- Hackers Breach the Web Site of Stratfor Global Intelligence — The New York Times, 2011-06-23