Investigation shows DOJ misses the bullseye on cyber security

The Department of Justice announces the results of a five month long investigation of a data leak that affected roughly 192,000 individuals

SACRAMENTO, CALIF. – Thousands of individuals were notified that personal information from their concealed carry weapons permit was leaked by the Department of Justice personnel.

The Department of Justice (DOJ) announced on Nov. 30 that they “accidentally” leaked personal information from roughly 192,000 individuals who applied for concealed carry weapons (CCW) from 2012 to 2021. The investigation concluded that multiple individuals’ name, date of birth, street address associated with the permit, gender, race, county, CCW License Number, status of CCW application and California’s criminal identification and state identification number. 

The data leak was associated with four sets of firearms-related data, which include: 

  • CCW permits and applications
  • Firearms Safety Certificates (FSC)
  • Dealer Record of Sale transactions (DROS)
  • Assault Weapons Registry (AWR)

Although the data leak included FSC, DROS, and AWR-related information, the investigation found that there was no associated name or other identifier that could be used to independently identify individuals, according to the DOJ press release. Fortunately, social security numbers and financial information were not included in the underlying dataset that was exposed. 

In Tulare County alone, this could affect over 16,000 individuals who possess CCW permits, according to data from Teresa Douglass with the Tulare County Sheriff’s Office. The affected individuals were previously contacted about the data leakage through a letter.

“This unauthorized release of personal information was unacceptable,” Attorney General Rob Bonta said in a statement. “This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department.”

The data leak was first announced on June 27, 2022. The DOJ said that personal information of individuals was leaked in connection with an update of its firearms dashboard portal, which is their database that contains the CCW individuals information. Data of both those who were granted and denied a permit was exposed. 

“I remain deeply angered that this incident occurred and extend my deepest apologies on behalf of the Department of Justice to those who were affected,” Bonta stated. “I thank the outside experts for this independent report, which is an important step in our work to build trust and transparency.” 

Since the data leak was first announced, the DOJ has been under an investigation conducted by the law firm of Morrison Foerster, with the assistance of the FTI consulting company, an outside cyber expert. The investigation found that this improper exposure on the firearms dashboard was unintentional. However, it was mainly due to a number of deficiencies within the DOJ including lack of training, expertise and professional rigor, according to the DOJ’s press release.

“While the report found no ill intent, this incident was unacceptable, and the DOJ must be held to the highest standard,” Bonta said. “This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report.”

In June, the DOJ sent out a notice warning individuals that the information that could have been exposed includes names, date of birth, gender, race, driver’s license number, addresses and criminal history. 

To remedy the data leak, the DOJ has offered impacted individuals identity protection services through IDX, the nation’s largest provider of data breach response services. The included protection plan the DOJ is offering individuals includes 12 months of triple-bureau credit monitoring, CyberScan dark web monitoring, a $1 million insurance reimbursement policy and fully managed ID theft recovery services, according to the DOJ. All of this would be free of charge to the individual impacted. Also, the DOJ will now be practicing better security as suggested by the investigation, such as: 

  • Conducting thorough review of all DOJ policies and procedures regarding the handling of confidential personal data and the supervision of personnel handling such data.
  • Conducting enhanced training regarding the handling of confidential personal data as appropriate, taking into account the specific roles and responsibilities of DOJ personnel. 
  • Evaluate security risks for tech solutions used for projects that involve personal data and provide formal training for DOJ personnel regarding the use of these solutions. 
  • Centralize and improve DOJ’s organizational structure to enhance oversight and supervision of organization-wide risk management, data security, and related functions. To improve its oversight over risk management, data security, and related functions, DOJ will hire a chief information security officer to lead a team of specialists and have ultimate responsibility for data security across all DOJ components.
  • Develop a detailed data incident action plan for use in case of any future reports of exposure of confidential or sensitive data. 
  • Review and revise its approval process for any project involving confidential personal data to ensure that such review is sufficiently documented, systematic, and rigorous.

Start typing and press Enter to search