SweepWizard Law Enforcement App Gets Caught Leaking Private Police Data

hero sweepwizard law enforcement app leaked police data news
A new report claims that a law enforcement app leaked the personal details of suspects and police officers involved in major police operations going all the way back to 2011. SweepWizard, the app in question, was developed by ODIN Intelligence to help police coordinate multi-agency raids, such as Operation Protect the Innocent in which more than sixty-four agencies arrested over 600 suspected sex offenders last September. The agencies involved in this operation used a free trial of SweepWizard, and, as a result, sensitive information about the operation ended up exposed to the Web.

This exposure occurred at a specific web address at which anyone could obtain police data from SweepWizard without any form of authentication. This insecure application programming interface (API) end point could have possibly been abused by threat actors to access sensitive information and monitor police activity, though it’s currently unknown whether such third-party access occurred. According to the report, the exposed database contained information relating to at least one scheduled operation, as well as over two hundred operations spanning from December 2022 to 2011.

sweepwizard on apple app store news
An archived version of SweepWizard’s page on the Apple App Store (click to enlarge)

The leaked information included locations and names for 5,770 suspects, with further information, such as height, weight, eye color, and housing status, specified in some cases. These additional details also contained the Social Security numbers of more than 1,000 suspects. The insecure API endpoint also exposed the names, phone numbers, and email addresses of hundreds of members of law enforcement.

WIRED, who published the report about the insecure API endpoint, first alerted the Los Angeles Police Department (LAPD) about the problem. The department responded by suspending its use of SweepWizard and launching an investigation into the matter. Captain Kelly Muniz from the LAPD’s Media Relations Division told WIRED, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”

WIRED also disclosed this issue to ODIN Intelligence prior to publishing its report. The company promptly removed the app from the Apple App Store and Google Play and took down the SweepWizard website. After an initial investigation, the CEO of ODIN Intelligence, Erik McCauley stated, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.”