An app used by law enforcement agencies to coordinate raids called SweepWizard has leaked confidential details about suspects, raids and law enforcement operations to the open internet due to a simple configuration error in the app.
The app, developed by Odin intelligence, was used to coordinate Operation Protect the Innocent — a plan to investigate, raid and arrest more than 600 suspected sex offenders coordinated by law enforcement agencies from five counties in South California.
While the operation was a success, the app left confidential details about the operation exposed on the internet. This consisted of information that the LAPD and the regional Internet Crimes Against Children (ICAC) task force uploaded to SweepWizard, including information that could tip off suspects or cast suspicion on people not yet convicted.
The leak stems from an API bug in the app that allows anyone with a specific URL to query the API for data from the app’s sources. This means that the app wasn’t using any authentication to protect its data.
Additionally, Wired reports that the app might have leaked confidential details about operations from over a dozen departments for some time. As was in the case of the operation mentioned above, these details also included identifying information on suspects, but this time officers were in the mix.
This data included geographic coordinates of suspects’ houses, time and location of raids, demographics and contact information and in the cases of over 1000 suspects, their Social Security Numbers. Overall, the app leaked the location and names of 5,770 suspects, mostly from California, across 200 raids. These details also included the exact date and time of the raid, organising officers and information regarding pre-raid briefings.
SweepWizard app launched in 2016 but had data from raids going back to 2011. In at least one case, the app had made data about a scheduled raid publicly accessible.
The LAPD was reportedly unaware of the issue until Wired reached out to them for a comment. Following the revelation, the use of SweepWizard has been suspended. According to their statement, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear.” At the moment, it’s also unclear whether or not a third party accessed the exposed data.
In the News: Guardian’s staff data was accessed in Dec 22′ ransomware attack
