A Police App Exposed Secret Details About Raids and Suspects

The exposed data contained the location and names of 5,770 suspects, mostly located in California. In some instances, the data included their height, weight, and eye color and indicated whether they were experiencing homelessness. For more than 1,000 of these suspects, SweepWizard also exposed their Social Security numbers. According to the data, several of these suspects were juveniles at the time of the sweeps. Arrest records and press releases confirm that several people whose names appeared in the leaked data were arrested after the raid. 

SweepWizard also appeared to have revealed the names, phone numbers, and email addresses of hundreds of law enforcement officers, as well as the operational details of nearly 200 sweeps. These details included the exact date and time of the sweep, the organizing officers, as well as information like where the pre-sweep briefings were to occur.

After verifying the data exposure, WIRED notified ODIN Intelligence, which quickly took down the app and began an investigation. After declining an interview, Erik McCauley, the CEO and founder of the company, said in a statement, “ODIN Intelligence Inc. takes security very seriously.  We have and are thoroughly investigating these claims.” He added, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.” McCauley did not respond to specific questions about the issue.

At the time of publication, SweepWizard’s website is no longer accessible, and the app has been removed from Google Play and Apple’s App Store.

WIRED received a tip that there was a flaw in SweepWizard’s application programming interface, or API, that allowed anyone with a specific URL to retrieve confidential law enforcement data from the app. WIRED downloaded the Android version of the app from Google Play and verified that its API endpoints were in fact returning data regardless of authentication—in other words, you didn’t need to be logged in to the app to view sensitive data about years’ worth of raids and other police operations. The data could be viewed in any web browser simply by visiting a SweepWizard URL. 

While the SweepWizard mobile app first launched in 2016, according to app store information, WIRED found data from sweeps going back to 2011, including more than 20 sweeps on Halloween over the years with names like Operation Boo, Operation Hocus Pocus, and Halloween Havoc. (Archived versions of the SweepWizard website date back to 2011.) The most recent data WIRED reviewed includes sensitive information about raids that took place on December 19, 2022. 

It’s unclear whether all SweepWizard data was exposed ahead of scheduled raids, and ODIN Intelligence did not respond to specific questions about when the data may have been publicly accessible. However, while confirming the API vulnerability, WIRED observed that data from at least one scheduled sweep had been made public. It is also unclear whether anyone used the data SweepWizard leaked to the open web for nefarious purposes.