GOC Responds:  The Report on DOJ’s Data Leak is “An Embarrassment of Riches”

They told us it could never happen.  They told us the private information they had collected on all of us was safe.  But then the Department of Justice leaked the confidential data of thousands of Californians, rolling it out to the internet where nothing really ever goes away.

In the wake of this unethical breach, the Attorney General wrung his hands and demanded answers from his people.  A third-party investigation by Morrison Foerster was launched, the results were published on November 30, and in short, it’s an embarrassment of riches.

  • The investigation confirmed that confidential personal data in the underlying dataset associated with Concealed Carry Weapons permits (CCW), Firearm Safety Certificates (FSC), Dealer Record of Sale (DROS), and Assault Weapons Registry (AWR)-related data was publicly accessible on the Firearms Dashboard from June 27-28. UNACCEPTABLE AND BORDERLINE ILLEGAL
  • In total, personal data for approximately 192,000 individuals was exposed. EXPOSED? NO, MADE VICTIMS OF POTENTIAL DANGER
  • The confidential data was downloaded approximately 2,734 times, in full or in part, across 507 unique IP addresses.  The CCW-related data included data for the years 2012 to 2021 and included the following fields: name, date of birth, street address associated with the permit, gender, race, county, CCW License Number, status of CCW applications, and California’s Criminal Identification and Information/State Identification numberDOJ HANDED CRIMINALS A PERFECT ROADMAP, BY IDENTIFYING POTENTIAL TARGETS

According to their own Administrative Manual, among its critical responsibilities and mandates, the California Department of Justice (DOJ):

. . . manag[es] multiple data repositories that contain highly sensitive and regulated criminal justice… and personally identifiable data. The confidentiality of this data must be protected at all times to ensure the DOJ continues to meet its responsibilities as custodians and providers of this data. 

Hold on here.  If this is the case, then how did this happen? 

The investigation found that the data exposure was due to a lack of DOJ personnel training, requisite technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate oversight by certain supervisors. THIS POINTS TO THE FACT THAT THE DOJ IS DEFECTIVELY MANAGED AND OPENS WIDE THE DOOR OF SCRUTINY TO OTHER SUCH FAILURES.   

In testimony before the California Legislature, GOC has witnessed the Department brush away privacy concerns.  The Department has repeatedly stressed their use of multiple step protocols to data safety, and that there is no danger of private information coming into the hands of unauthorized individuals.  This, when questioned specifically about the safety and privacy of confidential data.

The Department must be held to account. IF THERE IS EVEN A SINGLE INSTANCE WHERE THE RELEASE OF THIS INFORMATION LEADS TO A CRIME, AG BONTA AND THE DOJ MUST SHOULDER RESPONSIBILITY.

Even though the report states “only the CCW-related data could be used to independently identify individuals”, more than 2 million driver’s license numbers and birthdates from Firearm Safety Certificates, a whopping 8.7. million transactions that included birth dates and gender from Dealer Records of Sale, and 31,000 Assault Weapons Registry Unique Identifiers are also released as well as birthdates, gender, county, and weapon type.  HOWEVER, the Department insists that “risk from such exposure is limited because the data cannot be used to independently identify individuals.”  THE DEPARTMENT IF CLEARLY NOT PROFICIENT TO DETERMINE WHO AND WHAT IS AT RISK ESPECIALLY GIVEN WHAT SAVVIER AND TECHNOLOGICALLY SUPERIOR CRIMINALS ARE ABLE TO DO WITH LIMITED CREDIT CARD DATA. 

In closing, the Report states that it was not discovered that the public could view the underlying confidential personal data until the morning of June 28; DOJ personnel’s prior assurances to the contrary were based on an incomplete review of the Firearms Dashboard active functionality and an erroneous understanding of Tableau (software) security settings.

Believing anything that comes from the Department of Justice must be met with great skepticism.  Their assurances mean nothing at this point, and severe consequences must follow.  TO LEARN MORE ABOUT WHAT YOU CAN DO TO HOLD THE DEPARTMENT RESPONSIBLE FOR THE LEAK OF CONFIDENTIAL DATA, CLICK HERE FOR DETAILS ON NEXT STEPS.