Cybersecurity experts say the California Department of Justice has clearly failed to follow basic security procedures on its website, potentially exposing the personal information of hundreds of thousands of gun owners.
The website was designed to only show general data about the number and location of concealed carry gun permits, broken down by year and county. But for nearly 24 hours starting Monday, a spreadsheet with names and personal information was just a few clicks away, ready for review or download.
Katie Moussouris, founder and CEO of Luta Security, said there should have been access controls to ensure that information remains out of reach of unwanted parties, and that sensitive data should be encrypted so that it is unusable.
She said the damage depends on who accessed the data. Criminals may sell or use personally identifiable information, or use the criminal histories of permit-seekers “for blackmail and leverage.”
Already some are trying to use the information to criticize gun control advocates, which they say appeared to be concealed carry permits. An online site called The Gun Feed included a post calling on a top lawyer at Giffords Law Center to stop gun violence. But the center said the site had the wrong person – someone with the same name as its lawyer.
Databases of five other firearms were also compromised, but Attorney General Rob Bonta’s office has been unable to say what happened or how many people are in the databases.
“We are conducting a comprehensive and thorough investigation of all aspects of the incident and will take any and all appropriate measures in response to what we learn,” his office said in a statement Friday.
It said one of the other databases listed handguns but not people, while others, including orders to prohibit gun violence, did not have names but may have had other identifying information.
“The amount of information is so incredibly sensitive,” said Sam Paredes, executive director of Gun Owners of California.
“Deputy DAs, police officers, judges, they make every effort to protect their residential addresses,” he said. “The trouble the Attorney General has put in hundreds of thousands of people cannot be counted.”
Attorney Chuck Mitchell, president of the California Rifle and Pistol Association, said he has been sending hundreds of calls and emails from gun owners in what he hopes will lead to a class-action lawsuit.
The unfair release came days after the US Supreme Court made it easier for people to carry concealed carry weapons, and as such Bonta worked with state lawmakers to patch California’s new weak concealed carry law.
So far no evidence has emerged that the leak was intentional. independent Cyber security Experts said the release could have easily been loosened.
Bonta’s office has been unable to say how much and how often the database was downloaded. Mausoris said the agency had information on whether it was keeping access logs, which he described as a basic and necessary step to protect sensitive data.
Tim Marley, vice president of risk management at cybersecurity firm Cerberus Sentinel, questioned the speed of the agency’s response to a problem with a website that should have been continuously monitored.
“Given the sensitive nature of the data and the potential impact on those directly involved, I expect a response from notification to action in less than 24 hours,” he said.
Bonta’s office said it is reviewing the timeline to see when it learned of the problem.
The design of public websites “should always be done with an effort to design security into the process,” Marley said.
He added that developers also need to properly test their systems before launching any new code or modifying existing code. Yet too often organizations rush into change because they “focus on working to make it work safely.”
Each Republican state senator and member of the Assembly called on Bonta, a Democrat running for re-election, to amplify his disclosures about the information lapse, which he said violated state law. He also sought specific information about the release and investigation, and senators criticized the department for its apparent lack of testing and protection.