Thousands of First Responders Exposed in ALERRT Breach

First responders strive to quickly eliminate pressing threats, but a newly exposed data breach has placed these officials in some peril of their own. A breached database used by the Advanced Law Enforcement Rapid Response Training (ALERRT) center at Texas State University has exposed the personal information of tens of thousands of participants. ZDNet reported that the databases include personally identifiable information, such as names, personal email addresses, zip codes and other data.

ALERRT offers courses to first responders and is said to have trained more than 130,000 law enforcement and fire officials from across the U.S. Now it seems an April 2017 database concerning those officials, as well as the center's instructors, was uploaded to a web server earlier this year without password protection. A "data breach hunter" known as Flash Gordon discovered the database and shared a copy of it with ZDNet.

The information exposed by this database varies. Instructors had their names, skills and training revealed. Roughly 65,000 officers who offered feedback on a course had their names and zip codes exposed. Others had their work contact information, work addresses and cell numbers made public. Emails in the database are said to include even more sensitive information, and password reset emails requested officers' dates of birth or the last four digits of their Social Security Numbers (it's unclear why ALERRT needed this info to reset a password).

ZDNet said one database also collected sensitive location information:

"Another table contained 51,345 sets of geolocation coordinates of schools, courts, police departments and government buildings, like city halls and administrative offices. The data also included places of interest, such as where people gather -- like universities and malls. The list also contained, in some cases, police officers' home addresses. We confirmed this using Google's Street View, which in several cases revealed marked police vehicles outside the residence."

Yet perhaps the most sensitive information comes from officers' requests to ALERRT for assistance. Several departments revealed that they weren't properly equipped to respond to active shooters, whether it was because they didn't have a full-time SWAT team, because agencies  didn't train together, or some other reason. Someone could use this data to know where a police response would be weak.

The ALERRT breach doesn't come as much of a surprise--it seems like a day can't pass without some organization revealing sensitive data. Unfortunately, the method by which the data was leaked is also pretty standard, with countless groups leaving private info on publicly accessible servers without so much as a password to keep it safe. These servers are practically begging to be discovered and have their contents exposed.

Just look at the Exactis breach revealed this week. The data broker exposed 340 million records with information about an estimated 230 million consumers by storing it in a database that a security researcher found with a quick web search. ALERRT's leak doesn't contain as many records, but it does show that even organizations that work with law enforcement officials can be careless when it comes to securing their data. 

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • braneman
    At this point, this kind of thing needs to be considered basically treasonable. These people are basically releasing the personal information of tons of people and this is the second story I've seen of this magnitude in two weeks. They need to be charged appropriately for being this careless with other people's data or they need to not have their data at all.
  • pnartg
    There have to be consequences. Data breaches, ransomware hitting hospitals, malware of all kinds is screwing up too many people's lives and threatening public safety and these events happen almost daily and on a massive scale. Hardware and software companies with vulnerabilities in their products need to feel it sharply in their pocketbooks, and employees and IT personnel at financial service companies, retailers, and educational institutes like ALERRT need to experience legal or financial impacts from their carelessness. Only consequences will motivate improvement. As of this writing there are 32 class-action suits filed against Intel for Spectre and Meltdown, and that's a good start!