Cybersecurity experts say the California Department of Justice apparently failed to follow basic security procedures on its website, exposing the personal information of hundreds of thousands of gun owners.
The website has been designed to display only general data on the number and location of concealed carry firearms permits, broken down by year and county. But for about 24 hours from Monday, a spreadsheet with names and personal information was in a few clicksready for viewing or downloading.
Katie Moussouris, founder and CEO of Luta Security, said there should have been access controls to ensure information remained out of reach of unwanted parties, and sensitive data should have been encrypted so that they are unusable.
The damage done depends on who accessed the data, she said. Criminals could sell or use the private credentialsor use permit applicants’ criminal histories “for blackmail and influence,” she said.
Some are already trying to use this information to criticize gun control advocates who they say have been found to have concealed carry permits. An online site called The Gun Feed included a post calling on a leading attorney at Giffords Law Center to prevent gun violence. But the center said the site had the wrong person – someone with the same name as his attorney.
Five other gun databases were also compromised, but Attorney General Rob Bonta’s office was unable to say what happened or even how many people are in the databases.
“We are conducting a thorough and thorough investigation into all aspects of the incident and will take all appropriate action in response to what we learn,” his office said in a statement Friday.
He said one of the other databases listed handguns but not people, while the others, including gun violence prohibition orders, did not contain names but may have names. other identifying information.
“The volume of information is incredibly sensitive,” said Sam Paredes, executive director of Gun Owners of California.
“Deputy prosecutors, police officers, judges, they are doing everything they can to protect their residential addresses,” he said. “The peril into which the Attorney General has put hundreds of thousands of people … is incalculable.”
Attorney Chuck Michel, president of the California Rifle and Pistol Association, said he has received hundreds of calls and emails from gun owners seeking to join what he hopes will be an appeal. collective.
The improper release came days after the U.S. Supreme Court made it easier to carry concealed weapons and Bonta worked with state lawmakers to Fixes California’s Vulnerable New Concealed Carry Law.
No evidence has so far revealed that the leak was deliberate. Independent cybersecurity experts said the release could easily have been lax oversight.
The Bonta office was unable to say if and how often the databases were downloaded. Moussouris said the agency has this information if it keeps access logs, which she said is a fundamental and necessary step to protect sensitive data.
Tim Marley, vice president of risk management at cybersecurity firm Cerberus Sentinel, questioned the speed of the agency’s response to a problem with a website that should have been continuously monitored.
“Given the sensitive nature of the data exposed and the potential impact on those directly involved, I would expect a response within 24 hours, from notification to action,” he said. .
Bonta’s office said it was reviewing the timeline to see when it discovered the problem.
Designing public websites “should always be done with an effort to build security into the process,” Marley said.
Developers should also properly test their systems before releasing new code or modifying existing code, he said. Yet organizations often rush change because they focus “on making things work better than on being safe.”
Every Republican state senator and Member of the Assembly called on Bonta, a Democrat seeking reelection, to increase his disclosures about the information failure, which they say violates state law. They also requested specific information about the release and investigation, and senators criticized the department for an apparent lack of testing and security.