Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Experts: California Lacked Safeguards for Gun Owner Info

Cybersecurity experts say the California Department of Justice apparently failed to follow basic security procedures on its website, exposing the personal information of potentially hundreds of thousands of gun owners.

Cybersecurity experts say the California Department of Justice apparently failed to follow basic security procedures on its website, exposing the personal information of potentially hundreds of thousands of gun owners.

The website was designed to only show general data about the number and location of concealed carry gun permits, broken down by year and county. But for about 24 hours starting Monday a spreadsheet with names and personal information was just a few clicks away, ready for review or downloading.

Katie Moussouris, founder and CEO of Luta Security, said there should have been access controls to make sure the information stayed out of the reach of unwanted parties, and the sensitive data should have been encrypted so it would have been unusable.

The damage done depends on who accessed the data, she said. Criminals could sell or use the private identifying information, or use permit-seekers’ criminal histories “for blackmail and leverage,” she said.

Already some are attempting to use the information to criticize gun control advocates who they say were revealed as having concealed carry permits. An online site called The Gun Feed included a post calling out a top lawyer for the Giffords Law Center to Prevent Gun Violence. But the center said the site had the wrong person — someone with the same name as its lawyer.

Five other firearms databases were also compromised, but Attorney General Rob Bonta’s office has been unable to say what happened or even how many people are in the databases.

“We are conducting a comprehensive and through investigation into all aspects of the incident and will take any and all appropriate measures in response to what we learn,” his office said in a statement Friday.

It said one of the other databases listed handguns but not people, while the others, including on gun violence restraining orders, did not contain names but may have had other identifying information.

Advertisement. Scroll to continue reading.

“The volume of information is so incredibly sensitive,” said Sam Paredes, executive director of Gun Owners of California.

“Deputy DAs, police officers, judges, they do everything they can to protect their residential addresses,” he said. “The peril that the attorney general has put hundreds of thousands of people … in is incalculable.”

Attorney Chuck Michel, president of the California Rifle and Pistol Association, said he has been fielding hundreds of calls and emails from gun owners looking to join what he expects will be a class-action lawsuit.

The improper release came days after the U.S. Supreme Court made it easier for people to carry hidden weapons, and as Bonta worked with state lawmakers to patch California’s newly vulnerable concealed carry law.

No evidence has so far revealed that the leak was deliberate. Independent cybersecurity experts said the release could easily have been lax oversight.

Bonta’s office has been unable to say whether and how often the databases were downloaded. Moussouris said the agency has that information if it was keeping access logs, which she called a basic and necessary step to protect sensitive data.

Tim Marley, a vice president for risk management at the cybersecurity firm Cerberus Sentinel, questioned the speed of the agency’s response to a problem with a website that should have been constantly monitored.

“Given the sensitive nature of the data exposed and potential impact to those directly involved, I would expect a response in much less than 24 hours from notification to action,” he said.

Bonta’s office said it is reviewing the timeline to see when it discovered the problem.

The design of public websites “should always be done with an effort to design security into the process,” Marley said.

Developers also need to properly test their systems before launching any new code or modifying existing code, he said. Yet often organizations rush changes because they are focused “on making it work over making it work securely.”

Every Republican state senator and Assembly member called on Bonta, a Democrat running for reelection, to increase his disclosures about the information lapse, which they said violates state law. They also asked for specific information about the release and investigation, and senators criticized the department for an apparent lack of testing and security.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...