A data breach at ALERRT, a federally funded active shooter training centre in the USA, has exposed the personal data of thousands of US law enforcement officials and first responders.
According to a New Zealand-based data breach hunter known as ‘Flash Gordon’, who shared the information with ZDNet, a database belonging to Advanced Law Enforcement Rapid Response Training (ALERRT) was uploaded to a web server believed to be owned by the organisation, without password protection. The database dates back to April 2017, and includes identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years.
ALERRT works with federal agencies such as the FBI to provide civilians and law enforcement with active shooter training in order to help prevent or disrupt incidents. Though the organisation is part of Texas State University, it offers its services to individuals around the US, and is said to have trained over 114,000 law enforcement officials.
The information contained in the database varied from record to record, but overall included full names, personal email addresses, work addresses, mobile numbers, ZIP codes, the skills and training of instructors, geolocation coordinates of areas which might be targeted by a shooter, courses taken by individuals, and police officers’ home addresses.
It also included emails sent by the organisation, and requests submitted through the web form. Many of these requests contained information which could be used to identify particular law enforcement teams’ vulnerabilities.
One police department, for example, revealed that at the time it didn’t have a full-time SWAT team and was unable to respond to an active shooter situation. A police sergeant elsewhere included the information that the majority of their town’s residents owned firearms but that the nearest shooter response team was half an hour away.
ZDNet points out that this information could be used to target law enforcement officials and their families, as well as being used by a shooter to plan an attack.
The database has been removed since Flash Gordon shared these details with ZDNet. It’s unknown whether anyone else found or accessed the information.
“The university’s Information Security Office learned of the breach in late March 2018 and took immediate action to secure the exposed data as it launched an investigation,” said Ken Pierce, vice president for information technology at Texas State University. “Individuals whose records were compromised by the breach, as well as the Texas Department of Information Resources, have been notified.”