First responders strive to quickly eliminate pressing threats, but a newly exposed data breach has placed these officials in some peril of their own. A breached database used by the Advanced Law Enforcement Rapid Response Training (ALERRT) center at Texas State University has exposed the personal information of tens of thousands of participants. ZDNet reported that the databases include personally identifiable information, such as names, personal email addresses, zip codes and other data.
ALERRT offers courses to first responders and is said to have trained more than 130,000 law enforcement and fire officials from across the U.S. Now it seems an April 2017 database concerning those officials, as well as the center's instructors, was uploaded to a web server earlier this year without password protection. A "data breach hunter" known as Flash Gordon discovered the database and shared a copy of it with ZDNet.
The information exposed by this database varies. Instructors had their names, skills and training revealed. Roughly 65,000 officers who offered feedback on a course had their names and zip codes exposed. Others had their work contact information, work addresses and cell numbers made public. Emails in the database are said to include even more sensitive information, and password reset emails requested officers' dates of birth or the last four digits of their Social Security Numbers (it's unclear why ALERRT needed this info to reset a password).
ZDNet said one database also collected sensitive location information:
"Another table contained 51,345 sets of geolocation coordinates of schools, courts, police departments and government buildings, like city halls and administrative offices. The data also included places of interest, such as where people gather -- like universities and malls. The list also contained, in some cases, police officers' home addresses. We confirmed this using Google's Street View, which in several cases revealed marked police vehicles outside the residence."
Yet perhaps the most sensitive information comes from officers' requests to ALERRT for assistance. Several departments revealed that they weren't properly equipped to respond to active shooters, whether it was because they didn't have a full-time SWAT team, because agencies didn't train together, or some other reason. Someone could use this data to know where a police response would be weak.
The ALERRT breach doesn't come as much of a surprise--it seems like a day can't pass without some organization revealing sensitive data. Unfortunately, the method by which the data was leaked is also pretty standard, with countless groups leaving private info on publicly accessible servers without so much as a password to keep it safe. These servers are practically begging to be discovered and have their contents exposed.
Just look at the Exactis breach revealed this week. The data broker exposed 340 million records with information about an estimated 230 million consumers by storing it in a database that a security researcher found with a quick web search. ALERRT's leak doesn't contain as many records, but it does show that even organizations that work with law enforcement officials can be careless when it comes to securing their data.