Last September, law enforcement agents from five counties in Southern California coordinated an operation to investigate, raid, and arrest more than 600 suspected sex offenders. The mission, Operation Protect the Innocent, was one of the largest such raids in years, involving over 64 agencies. According to the Los Angeles Police Department, it was coordinated using a free trial of an app called SweepWizard.
The raid was hailed as a success by Chief Michael Moore of the LAPD at a press conference the following week. But there was a problem: Unbeknownst to police, SweepWizard had been leaking a trove of confidential details about the operation to the open internet.
The data, which the LAPD and partners in the regional Internet Crimes Against Children (ICAC) Task Force uploaded to SweepWizard, included private information about the suspects as well as sensitive details that, in the wrong hands, could tip off suspects as to when they were going to be raided and cast suspicion on people who had not yet been convicted of any crime.
The SweepWizard app, built by a company called ODIN Intelligence, is meant to help police manage multi-agency raids. But WIRED found that it didn’t just expose data from Operation Protect the Innocent; it had already leaked confidential details about hundreds of sweeps from dozens of departments over multiple years. The data included personally identifying information about hundreds of officers and thousands of suspects, such as geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and occasionally even suspects’ Social Security numbers. All this data was likely exposed due to a simple misconfiguration in the app, according to security experts.
The Los Angelese Police Department said it was unaware of the problem until WIRED reached out for comment. In a phone call, Captain Jeffery Bratcher, commanding officer of the LAPD Juvenile Division and project director for the ICAC Task Force, said the department is concerned and is taking the matter seriously. “Operational security is always paramount to us. We don’t want people to know when and if we are coming,” he says.
In a separate statement, Captain Kelly Muniz of the LAPD’s Media Relations Division, said the department has suspended the use of SweepWizard until a thorough investigation is complete. According to their statement, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”
The exposed data contained the location and names of 5,770 suspects, mostly located in California. In some instances, the data included their height, weight, and eye color and indicated whether they were experiencing homelessness. For more than 1,000 of these suspects, SweepWizard also exposed their Social Security numbers. According to the data, several of these suspects were juveniles at the time of the sweeps. Arrest records and press releases confirm that several people whose names appeared in the leaked data were arrested after the raid.