Cyber Incident Victim: ODIN Intelligence
Date:
Jan 2016
Location:
United States of America
Summary
A police operations management app developed by ODIN Intelligence exposed sensitive law enforcement data due to an API misconfiguration, allowing unauthorized access to confidential raid details without authentication. The leaked information included suspects' personal identifiers, home coordinates, Social Security numbers, and officers' contact details across hundreds of operations spanning multiple jurisdictions. The Los Angeles Police Department and regional task forces had used the SweepWizard application to coordinate large-scale operations, suspending its use after discovering the exposure. Security experts attributed the vulnerability to authorization oversights where the system failed to validate access tokens, enabling public retrieval of operational plans and suspect records. The company removed the app from distribution platforms and initiated an investigation while disputing initial evidence of compromise, despite independent verification of the security flaw.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2022, law enforcement agencies across five Southern California counties utilized ODIN Intelligence’s SweepWizard app to coordinate Operation Protect the Innocent, a multi-agency operation targeting over 600 suspected sex offenders. The Los Angeles Police Department (LAPD) confirmed using a free trial of SweepWizard to manage the raid, which involved 64 agencies and was later publicly praised as successful. Unbeknownst to participating agencies, SweepWizard had exposed confidential operational details to the open internet due to an API misconfiguration. Security researchers and WIRED verified that the app’s API endpoints returned sensitive data without requiring authentication, allowing anyone with specific URLs to access raid schedules, suspect information, and officer details. The exposed data included names, geographic coordinates of suspects’ homes, planned raid times, pre-operation briefing locations, and personal details such as height, weight, eye color, and homelessness status for 5,770 suspects, primarily in California. Over 1,000 suspects had their Social Security numbers exposed, and several identified individuals were confirmed via arrest records to have been apprehended during the operation. Additionally, the leak revealed names, phone numbers, and email addresses of hundreds of law enforcement officers and operational specifics for nearly 200 sweeps dating back to 2011, including Halloween-themed operations like "Operation Boo."
The LAPD stated it was unaware of the exposure until WIRED’s inquiry and immediately suspended SweepWizard’s use pending investigation. Captain Jeffery Bratcher of the LAPD Juvenile Division emphasized operational security concerns, while the department collaborated with federal authorities to determine the leak’s origin. ODIN Intelligence removed SweepWizard from app stores and took its website offline after WIRED’s disclosure but denied evidence of a security compromise. CEO Erik McCauley asserted the company was investigating but could not reproduce the alleged vulnerability, declining to address specific questions about CJIS compliance or API flaws. Security experts, including Ken Munro of Pen Test Partners and researcher Zach Edwards, attributed the exposure to a basic authorization oversight, noting the app failed to validate access tokens for API requests. The Yolo County District Attorney’s Office confirmed using SweepWizard during a November 2022 operation and cited ODIN’s prior claims of CJIS compliance, which FBI policy documents suggested were inaccurate. While no confirmed misuse of the leaked data was documented, the exposure risked compromising raid integrity and exposing unconvicted suspects’ personal information, including juveniles. Investigations by multiple agencies remained ongoing at the time of reporting.