A California Department of Justice website relating to firearms registration has been found to be exposing personal information.
A June 27 update to the Firearm Dashboard Portal exposed details of individuals who were granted or denied a concealed and carry weapons permit between 2011 and 2021. The information exposed included names, dates of birth, gender, race, driver’s license number, address and criminal history. Social Security numbers and financial information were not disclosed.
Data from additional dashboards were also exposed. Affected dashboards include the Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate and Gun Violence Restraining Orders.
The data was exposed for a period of 24 hours. It’s not known how many users were affected or whether the data was stolen. The portals have since been taken offline.
“This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” Attorney General Rob Bonta said in a statement. “I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary.”
The department said it will notify all individuals whose data was exposed in the coming days and provide additional information and resources. It also asked that anyone who has accessed the information to respect the privacy of the individuals involved and not share the personal information.
“Given that this breach involving the Department of Justice was the result of a data exposure on their recently launched site and the breach informant was the California State Sheriff’s Association rather than a security researcher or a security operation center, it appears that this incident was the result of negligence, rather than an attack,” Nick Tausek, security automation architect at low-code security automation company Swimlane Inc., told SiliconANGLE. “Although details are still sparse, it seems likely that this leak… may have been a result of improper authentication controls around accessing dashboards that house and permit access to this type of information.”
Given that gun control is a hot topic in the U.S., Tyler Glotz, manager, governance risk and compliance at security intelligence firm LogRhythm Inc. raises an obvious question. He said the event “raises questions of inside actors or hacktivists reacting to national changes in concealed carry law that came from NYSRPA v Bruen just days before.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.