California state's gun control websites expose personal data
And some of it may have been leaked on social media
A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.
According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.
In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards.
The Cali DOJ noted that the dashboards and data were available to the public "for less than 24 hours," and the information exposed included names, dates of birth, gender, race, driver license numbers, addresses, and criminal histories. It did not, however, expose Social Security numbers and financial information, according to the West Coast state.
Still, some private information may have been posted on social media websites, according to the Fresno County Sheriff's Office, which initially disclosed the data leak.
The state DOJ said it will notify Californians whose data was exposed and "provide additional information and resources" in the coming days. This includes credit monitoring services for those affected.
"I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary," said California Attorney General Rob Bonta in a statement, adding he was "deeply disturbed and angered" by the incident.
Bonta's office did not immediately respond to The Register's questions about how many people were affected, and how many California residents apply for and/or are denied a concealed weapons permit each year.
"The failure to keep stakeholders' sensitive data confidential is coming with greater consequences for organizations in the United States," Tim Marley, VP for audit, risk and compliance at Cerberus Sentinel, told The Register.
- California's attempt to protect kids online could end adults' internet anonymity
- Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
- FTC urged to probe Apple, Google for enabling 'intense system of surveillance'
- Info on 1.5m people stolen from US bank in cyberattack
The California cyber-gaffe comes at a time when data privacy is at the forefront of the national debate, in large part because of the US Supreme Court's recent decision to overturn Roe vs. Wade, which has called into question what personal data is collected, retained — and potentially sold or shared.
In the weeks leading up to the court's ruling, US lawmakers introduced several federal data privacy bills. Five states (California, Colorado, Connecticut, Utah and Virginia) have their own consumer data privacy laws on the books, and at least six others have legislation under review.
"At the end of the day, we shouldn't need legislation to force us to examine the sensitive data in our possession and verify that we protect it at every stage of the data lifecycle," Marley added. "We are the custodians of this data and owe it to our customers, clients, partners, and residents to verify that we always manage this information securely." ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust