SweepWizard app suffers major leak of private police data

Partager sur facebook
Partager sur twitter
Partager sur linkedin
Partager sur email

Last September, law enforcement officers from five Southern California counties coordinated an operation to investigate and arrest more than 600 suspected sex offenders. 

The mission, dubbed « Operation Protect the Innocent, » was one of the largest operations of its kind in years, involving more than 64 agencies. According to the LAPD, it was coordinated using a free trial of an app called SweepWizard.

But there was a problem: Unbeknownst to the police, SweepWizard leaked the location and names of 5,770 suspects onto the Internet with additional information, such as height, weight, eye color and housing status, specified in some cases.

These additional details also contained the social security numbers of over 1,000 suspects. Finally, the unsecured API endpoint also exposed the names, phone numbers and email addresses of hundreds of law enforcement personnel.

This exposure took place at a specific web address where anyone could obtain police data from SweepWizard without any form of authentication.

This unsecured application programming interface (API) endpoint could have been used by threat actors to access sensitive information and monitor police activity, although it is currently unknown if such third-party access occurred. 

According to the report, the exposed database contained information on more than two hundred operations spanning from December 2022 to 2011.

WIRED, which published the report on the unsecured API endpoint, initially alerted the Los Angeles Police Department (LAPD) to the problem. The department responded by suspending its use of SweepWizard and launching an investigation into the matter.

Captain Kelly Muniz of the LAPD’s media relations division told WIRED that « the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is unclear at this time.

At this point in the investigation, it has not been determined whether the third-party app or some other means is the source of the unauthorized release. »

WIRED also disclosed the issue to ODIN Intelligence before releasing its report. The company quickly removed the app from the Apple App Store and Google Play and took down the SweepWizard website. 

After an initial investigation, ODIN Intelligence CEO Erik McCauley said, « To date, we have not been able to replicate the alleged security breach of any ODIN system. If there is evidence of a security compromise of ODIN or SweepWizard, we will take appropriate action. »

Évaluez votre niveau
de conformité

En quelques clics,
lancez sans engagement
et en toute conformité un
audit flash !

Pour recevoir votre audit flash gratuit et sans engagement, merci de bien vouloir remplir ce formulaire :