There was no “nefarious purpose” behind the release of personal data belonging to nearly 200,000 California gun owners and concealed carry permit holders by the state Department of Justice, an independent review has found.
The massive data breach, which prompted outrage and lawsuits from gun rights groups, was unintentional, according to a report released Wednesday by independent legal and forensic cyber experts hired to investigate the matter. The independent review found that personal information for 192,000 people was downloaded 2,734 times by 507 unique IP addresses during a roughly 12-hour period in late June.
The data was exposed just days after the U.S. Supreme Court ruled that people have a right to carry guns in public. The decision invalidated a California law that said people must give a reason for wanting to carry a concealed weapon, such as a threat to their safety. Lawmakers then tried to pass new restrictions for concealed carry permits, but failed.
Gun rights activists had called the date leak an “egregious” breach of privacy. The California Rifle & Pistol Association is preparing a class action lawsuit against the state and has set up a web page encouraging victims to file an administrative claim form with the state Justice Department.
California Attorney General Rob Bonta has called the privacy breach “unacceptable” and promised corrective action.
“I remain deeply angered that this incident occurred and extend my deepest apologies on behalf of the Department of Justice to those who were affected,” Bonta said in a statement.
“While the report found no ill intent, this incident was unacceptable, and DOJ must be held to the highest standard. This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report,” he added.
The law firm of Morrison Foerster conducted the investigation in partnership with FTI, an outside cyber expert.
“The investigation found that the data exposure was due to a lack of DOJ personnel training, requisite technical expertise and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate oversight by certain supervisors,” the report states. “This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’s failure to meet the responsibilities with which it was entrusted as the custodian of confidential personal information.”
Investigators detailed DOJ’s chaotic and confusing response to the data breach. DOJ officials were not aware of what happened until someone sent Bonta a direct message on Twitter that included screenshots showing how personal information was available to be downloaded from the OpenJustice dashboard, the report said.
Officials initially believed the images circulating on social media were a hoax. Two unnamed employees – identified only as “Data Analyst 1” and “Research Center Director” – investigated and wrongly assured everyone that no personal information was publicly available.
While they made those assurances, the DOJ dashboard crashed because so many people were trying to download the data. Another group of state officials worked to restore the website, unaware of the breach. The dashboard was back online at around 9:30 p.m. and remained active until noon the next day, when state officials realized what happened and shut the dashboard down. But by then, gun owners’ personal data had been downloaded thousands of times.
State officials had established the dashboard as a tool for research and media requests about the use of guns in California, believing the data was anonymous. But the employee who created the website included several datasets that contained personal information.
Investigators found that no one – neither the employee who compiled the data nor the officials who supervised the employee – knew the proper security settings to prevent the data from being available for public download.
“This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department,” Bonta said.
Other information was also mistakenly released, including data from firearms safety certificates, dealer sales records, and the state’s assault weapons registry. That data included dates of birth, gender and driver’s license numbers for more than 2 million people and 8.7 million gun transactions. But investigators said there wasn’t enough information in those datasets to identify anyone.
Bonta, who was appointed attorney general by California Gov. Gavin Newsom, listed several actions DOJ will take in response to the report.
Beginning with a “thorough review” of related policies and procedures, Bonta’s office said the California DOJ will upgrade its training procedures, reform the agency’s organizational structure to “enhance oversight,” and “develop a detailed data incident action plan” for use in case of future data breaches, among other steps.
The Associated Press contributed to this report.