SACRAMENTO, Calif. (AP) — Cybersecurity experts say the California Department of Justice apparently failed to follow basic security procedures on its website, exposing the personal information of potentially hundreds of thousands of gun owners. .
The website was designed to display only general data on the number and location of concealed carry permits, broken down by year and county. But for about 24 hours starting Monday, a spreadsheet with names and personal information was sent out. just a few clicks awayready to review or download.
Katie Moussouris, founder and CEO of Luta Security, said there should be access controls to make sure information stays out of the hands of unwanted third parties, and sensitive data should be encrypted so it can’t be used.
The damage caused depends on who accessed the data, he said. Criminals could sell or use the private identification informationor use the criminal records of permit applicants “for blackmail and leverage,” he said.
Some are already trying to use the information to criticize gun control advocates who they say revealed they had concealed-carry permits. An online site called The Gun Feed featured a post calling out a prominent attorney from the Giffords Law Center to prevent gun violence. But the center said the site had the wrong person, someone with the same name as her attorney.
Five other firearms databases were also compromised, but Attorney General Rob Bonta’s office has not been able to say what happened or how many people are in the databases.
“We are conducting a thorough and thorough investigation of all aspects of the incident and will take all appropriate action in response to what we learn,” his office said in a statement Friday.
He said one of the other databases listed firearms but not people, while the others, including gun violence restraining orders, did not contain names but may have had other identifying information.
“The volume of information is incredibly sensitive,” said Sam Paredes, executive director of Gun Owners of California.
“Assistant prosecutors, police officers, judges, do everything they can to protect their residential addresses,” he said. “The danger that the attorney general has placed hundreds of thousands of people in… is incalculable.”
Attorney Chuck Michel, president of the California Rifle and Pistol Association, said he has received hundreds of calls and emails from gun owners seeking to join what he hopes will be a class action lawsuit.
The improper posting came days after the US Supreme Court made it easier for people to carry concealed weapons, and as Bonta worked with state lawmakers to patch California’s recently vulnerable concealed carry law.
No evidence has so far revealed that the leak was deliberate. Independent cybersecurity experts said the launch could easily have been lax oversight.
Bonta’s office has been unable to say whether or how often the databases were downloaded. Moussouris said the agency has that information if it keeps access logs, which he called a basic and necessary step to protect sensitive data.
Tim Marley, vice president of risk management at cybersecurity firm Cerberus Sentinel, questioned the agency’s speed of response to a problem with a website that should have been constantly monitored.
“Given the sensitive nature of the exposed data and the potential impact to those directly involved, I would expect a response in much less than 24 hours from notification to action,” he said.
Bonta’s office said it is reviewing the timeline to see when he discovered the problem.
Designing public websites “should always be done with an effort to design security into the process,” Marley said.
Developers should also properly test their systems before releasing any new code or modifying existing code, he said. However, organizations often rush changes because they focus “on making it work instead of making it secure.”
every republican state senator Y assembly member asked Bonta, a Democrat running for re-election, to increase his disclosures about the information breach, which they say violates state law. They also asked for specific information about the release and investigation, and the senators criticized the department for an apparent lack of evidence and security.
JOIN THE CONVERSATION
Anyone can read Conversations, but to contribute, you must be a registered Torstar account holder. If you don’t have a Torstar account yet, you can create one now (it’s free)