A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned.
The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.
The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection.
ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.
Working with federal agencies like the FBI, the Texas-based organization provides training to law enforcement and civilians around the US in an effort to prevent or disrupt active shooter incidents. Since its inception in 2002, ALERRT has received tens of millions of dollars in funding from the Justice Department, Homeland Security, and several state governments.
It's said that more than 114,000 law enforcement officials have been trained by ALERRT.
When reached, ALERRT's executive director, Pete Blair, declined to comment. When asked if the breach will be reported to state authorities, Blair said: "We always follow all state laws."
A spokesperson for Homeland Security referred comment to ALERRT. When reached prior to publication, the FBI said it had no comment.
"In the wrong hands this data could be detrimental or even deadly for the first responders who put their lives on the line every day," said John Wethington, a security researcher, who reviewed a portion of the data for ZDNet.
The database contained thousands of personal data records, including law enforcement officer's work contact information, with many of the records listing personal email addresses, work addresses, and cell numbers.
Officials from the FBI, Customs and Border Protection (CBP), and the US Border Patrol were listed in the database.
In another table, some 65,000 officers who had taken an ALERRT course and provided feedback had their full name and zip code exposed.
Another table listed detailed histories on instructors, including their skills and training, while another contained the names of more than 17,000 instructors.
Another table contained 51,345 sets of geolocation coordinates of schools, courts, police departments, and government buildings, like city halls and administrative offices. The data also included places of interest, such as where people gather -- like universities and malls. The list also contained, in some cases, police officers' home addresses. We confirmed this using Google's Street View, which in several cases revealed marked police vehicles outside the residence.
It's not clear for what reason these locations were collated or stored.
The organization also kept more than 85,000 emails that were sent by staff to prospective trainees and course takers dating back to at least 2011. Responses and replies sent by law enforcement did not appear in this table.
Many of the emails contained or asked for sensitive data. Password reset emails would often ask users for their date of birth or the last four digits of their Social Security number for their profile. It's not clear why this data was needed, or if it was stored in another database.
Other emails informed law enforcement staff of successful enrollment in classes, which contained names, email addresses, phone numbers, the course they were taking, and where and when the course was offered.
That data alone would give anyone insight into the capabilities of police and law enforcement departments across the country.
Wethington told ZDNet that this data, combined with other readily available information on the internet, "could be used to target individuals or groups of first responders and their families."
But other tables included requests made by law enforcement reaching out to the organization for help through its web form. In doing so, many officials volunteered highly sensitive information about deficiencies in their jurisdiction, revealing their department's lack of training or capabilities.
One police department openly admitted that it "doesn't have a full-time SWAT team," and is unable to respond to an active shooter situation. An ALERRT staffer responded, saying that the organization "couldn't facilitate his request at this time."
Another had a similar situation. "Multiple agencies often respond to high priority calls together, yet rarely train together," said one police chief who was requesting anti-shooter training.
In another case, a police sergeant based in a rural town on the east coast requested training, describing the majority of its residents as firearm owners, but any shooter response team would be more than a half-hour away.
In another case, one university police lieutenant requested training for his department. He said that there was "no active shooter response instructor training [in the area] in the last five years."
"The information disclosed in some of these messages paints a picture of a nationwide lack of training and a system that is unable to sustain the influx of requests," said Wethington.
"This intelligence could be easily exploited by domestic terrorists or 'lone wolfs' to exploit the weaknesses discussed in this correspondence," he said. "For instance, an individual who wanted to push a particular state or local agency and the community it supports into a crisis need only look for an agency or community in this data that has expressed concern for their ability to respond to a active shooter."
The database has since been removed, but it's not known who else accessed it or what damage may have already been done.