The FCC’s enforcement bureau is looking into California-based LocationSmart, a location data compiler and broker, after a Missouri sheriff exploited a demo mode that allowed him to track the location of subjects that were not intended to be tracked.

The New York Times has obtained state and federal charges against Mississippi County Sheriff Cory Hutcheson had used such a feature from Securus Technologies which makes programs to track inmate calls and locations. He had used this little-known exploit at least 11 times between 2014 and 2017 to see the locations of State Highway Patrol officers and a judge. Hutcheson has plead “not guilty.”

Reuters reports that Securus buys data that is sourced from LocationSmart which is itself received from AT&T, Sprint, T-Mobile and Verizon. The flaw on LocationSmart’s part was first spotted by researcher Robert Xiao of Carengie Mellon University.

LocationSmart stated that it has since removed the demo feature. Securus has disabled all locating services as a temporary measures while it consults its contingent parties. Furthermore, the company says it has “no direct business relationship with LocationSmart.”

An AT&T spokesperson said the company disallows location sharing without consumer consent or a law enforcement warrant and would “take appropriate action” if a vendor fails to comply with policy. Sprint is reviewing the matter internally. T-Mobile has yet to comment.

No other events using this exploit have surfaced.