​Active shooter training center leaks personal data of thousands of law enforcement officials

A federally funded active shooting training center has reportedly exposed the personal data of thousands of US law enforcement officials. The massive database was discovered by a New Zealand-based data breach hunter who goes by the pseudonym Flash Gordon.

Dating back to April 2017, the database is believed to be owned by Advanced Law Enforcement Rapid Response Training (ALERRT) at Texas State University and was uploaded to a web server in 2018 with no password protection, ZDNet reported.

The organization provides training for law enforcement personnel and civilians to prevent or tackle active shooting incidents.

Trove of personal, sensitive data exposed

The database contained identifiable information of local and state police officers as well as federal agents who sought out or underwent active shooter response training over the past few years. It also contained thousands of personal records and law enforcement officers' work contact information such as work addresses, cell phone numbers and personal email addresses.

Data belonging to personnel from the FBI, Customer and Border Protection (CBP) and US Border Patrol were included in the exposed cache.

Full names and zip codes of about 65,000 officers who underwent the ALERRT course and provided feedback were listed in one table. The detailed histories of ALERRT instructors, their skills and training were listed in another table. A third table contained the names of over 17,000 instructors, ZDNet reports.

One table contained 51,345 sets of geo-location coordinates of schools, government buildings, courts and police departments along with places of interest where people usually gather such as malls or universities. Police officers' home addresses were also listed in some cases, ZDNet reports.

How prepared are police departments at handling active shooter situations?

The database also provided insight into how prepared various police departments and law enforcement agencies across the country are at handling active shooting incidents.

Over 85,000 emails that were sent by ALERRT staff to prospective trainees and course takers that date back to at least 2011 were listed in the database. Many emails also contained sensitive information of officers such as their birth date or the last four digits of their Social Security number.

Some emails notified law enforcement personnel of successful enrollment in ALERRT courses and contained names, email addresses, phone numbers, the course they signed up for as well as when and where they were offered.

Requests made by law enforcement officials to the organization that included their department's law of training, capabilities and deficiencies within their jurisdiction were also exposed.

One exposed email revealed that a police department "doesn't have a full-time SWAT team" to which it received a response that the ALERRT organization "couldn't facilitate his request at this time." While one university police lieutenant requested training adding that there was "no active shooter response instructor training [in the area] in the last five years, a police sergeant in a rural town requested training saying most of the town residents are firearm owners, but the closest shooter response team was over half an hour away.

"This intelligence could be easily exploited by domestic terrorists or 'lone wolfs' to exploit the weaknesses discussed in this correspondence," security researcher John Wethington told ZDNet. "For instance, an individual who wanted to push a particular state or local agency and the community it supports into a crisis need only look for an agency or community in this data that has expressed concern for their ability to respond to a active shooter."

Response to the breach

The database has since been reportedly removed. However, it is still unclear how long the data was left unprotected online, if the database was accessed by any malicious actors and the containing data misused so far.

ALERRT, Homeland Security and the FBI have yet to publicly comment on the incident.

However, Flash Gordon revealed in June that the Department of Homeland Security has served Twitter with a subpoena demanding various information of the data breach finder's account, including screen name, address, phone number, IP address history, member lists, complaints filed against it and any linked information to the account such as credit cards.

The New Zealand native has has discovered multiple exposed databases to date. It is unclear why Homeland Security is seeking information on the account, but Flash Gordon believes it is likely linked to the ALERRT data leak.

"I don't know what else [Homeland Security] would want from me," he told ZDNet.