Report: California weapons data breach was unintentional

According to an investigation released Wednesday, the California Department of Justice erroneously posted the names, addresses and birthdays of nearly 200,000 gun owners online because officials didn’t follow guidelines or understand how to run their website.

The investigation, conducted by an outside law firm hired by the California Department of Justice, found that 192,000 people’s personal information was downloaded 2,734 times from 507 unique IP addresses over a period of about 12 hours at the end of June. All of these individuals had applied for a permit to carry a concealed weapon.

The data came just days after the US Supreme Court ruled that people have the right to carry guns in public. The decision overturned a California law that required people to provide a reason for wanting to carry a concealed weapon, such as a threat to their safety. Lawmakers then tried to enact new restrictions on concealed carry permits, but failed.

Investigators said they “found no evidence that the timing of the (data breach) was determined by nefarious intent or was in any way personally or politically motivated.” Instead, they said state officials planned to release what they believed to be anonymous data after the court ruling “to accommodate anticipated increased public interest in firearms-related data.”

According to Chuck Michel, attorney and president of the California Rifle & Pistol Association, willful violation of personally identifiable information carries more severe fines and penalties under California law. Michel said his group is preparing a class action lawsuit against the state. He noted that the leaked data likely contained information from people in sensitive positions — including judges, law enforcement officials and victims of domestic violence — who had applied for gun permits.

“There’s a lot of gaps and unanswered questions, maybe intentional, and this whole notion of whether this was an intentional release or not,” he said. “This is not the end of the investigation.”

The Justice Department hired law firm Morrison Foerster to investigate the data exposure. The firm said it has “the mandate and autonomy to conduct an independent investigation that follows the facts and evidence wherever they lead.”

California Department of Justice officials were unaware of the breach until someone privately messaged Attorney General Rob Bonta on Twitter that included screenshots of the personal information, which could be downloaded from the state’s website, the investigation said.

State officials initially thought the report was a hoax. Two unnamed employees – identified only as “Data Analyst 1” and “Research Center Director” – investigated and falsely assured everyone that no personal information was publicly available.

Meanwhile, the website crashed due to so many people trying to download the data. Another group of state officials worked to bring the site back online, unaware of the breach. They got the website up and running again around 9:30pm

State officials would not deactivate the site until around noon the next day. By then, the information had already been downloaded thousands of times.

State officials thought they were providing overall anonymous information for research and media inquiries into gun use in California. But the employee who created the website inserted several records with personal data.

Investigators found that no one — neither the employee who compiled the data nor the officers supervising the employee — knew the proper security settings to prevent the data from being publicly downloadable.

“This was more than a disclosure of data, it was a breach of trust that falls far short of my expectations and what Californians expect of our department,” Attorney General Bonta said in a press release. “I remain deeply upset that this incident occurred and, on behalf of the Department of Justice, offer my sincere apologies to those affected.”

Other information was also erroneously released, including data from firearm safety certificates, dealer sales records and the state’s Assault Weapons Registry. This data included dates of birth, gender and driver’s license numbers of more than 2 million people and 8.7 million gun transactions. However, investigators said those records did not contain enough information to identify anyone.

Investigators recommended more training and planning for state officials, including reviewing and updating policies and procedures.

“This error requires immediate correction, which is why we are implementing all of the recommendations from this independent report,” Bonta said.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button