SweepWizard Law Enforcement App Gets Caught Leaking Private Police Data
This exposure occurred at a specific web address at which anyone could obtain police data from SweepWizard without any form of authentication. This insecure application programming interface (API) end point could have possibly been abused by threat actors to access sensitive information and monitor police activity, though it’s currently unknown whether such third-party access occurred. According to the report, the exposed database contained information relating to at least one scheduled operation, as well as over two hundred operations spanning from December 2022 to 2011.
WIRED, who published the report about the insecure API endpoint, first alerted the Los Angeles Police Department (LAPD) about the problem. The department responded by suspending its use of SweepWizard and launching an investigation into the matter. Captain Kelly Muniz from the LAPD’s Media Relations Division told WIRED, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”
WIRED also disclosed this issue to ODIN Intelligence prior to publishing its report. The company promptly removed the app from the Apple App Store and Google Play and took down the SweepWizard website. After an initial investigation, the CEO of ODIN Intelligence, Erik McCauley stated, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.”