Major California Department of Justice Data Breach Effecting CA Firearms Owners

[shermantanker]

Please keep politics to a minimum...

 

Summary

Yesterday the CA DOJ released an online tool that provided useful information on various California firearms statistics related to Carry Concealed Weapons Permits, Gun Violence Restraining Orders, Firearms Safety Certificates, and other related information that let the public sort by various data points. Now being reported on reddit gigabytes of underlying data was easily accessible in plain text for several hours. The three leaked data sets I am seeing reported are

• CCW holders: Full name, full address, DOB, age, race, CCW effective dates, and CCW number, and if they are a judge/LEO.
• FSC (required certificate to purchase firearms in CA): FSC number, driver's license, age, & issue date
• DROS (background check): DOB, gender, & race

I do not have any technical details on what kind of database tool was used by the DOJ, but commenters who downloaded the data said it was accessible in a few clicks. This is not widely reported on non-firearms related media outlets yet and the CA DOJ has yet to publicly comment.

 

Quotes

Quote

 CA released a tool in the interest of "transparency" where gun data can be found. On the surface this is fine and doesn't appear to have anything personally identifiable.

Through a process that we will be not discussing, but is relatively easy and not even slightly hidden to do, you can access the names, addresses, and DOB's of all CCW holders in the state of CA. That includes judges, reserve officers, and random people like you and me. They also released information on FSC stats which has DOB and ID/DL numbers, and a file that includes DROS information, which has DOB, race, gender, and which dealer a given gun was purchased at since at least 2012. As you can see, this is devastating to the privacy of gun owners. It's fairly trivial to begin cross referencing data between these three documents to determine who owns what guns with decent accuracy, especially if they have a CCW that already says where they live.

 

Updated:

CA DOJ Office has confirmed the leak.

Quote

“We are investigating an exposure of individuals’ personal information connected to the DOJ Firearms Dashboard,” a spokesperson for the office told The Reload. “Any unauthorized release of personal information is unacceptable. We are working swiftly to address this situation and will provide additional information as soon as possible.”

Statement from The California Rifle & Pistol Association (CRPA)

Quote

“Vindictive sore loser bureaucrats have endangered people’s lives and invited conflict by illegally releasing confidential private information,” Chuck Michel, CRPA President, told The Reload. “CRPA is working with several legislators and sheriffs to determine the extent of the damage caused by DOJ’s doxing of law abiding gun owners. Litigation is likely.”

 

My thoughts

This is obviously a major security risk for Californians, especially celebrities, judges, and law enforcement, and shows how incompetent the DOJ's handling of this database was. I am eager to see what the state's response will be and if this will lead to tighter control of state firearms data due to the safety implications. Many states do not allow for digitization of certain firearms records for this very reason.

 

The reddit source includes information to contact one of the 2A organizations that are investigating the matter for legal action.

 

Sources

DOJ Link Attorney General Bonta Releases New Firearms Data to Increase Transparency and Information Sharing | State of California - Department of Justice - Office of the Attorney General

r/guns Alert: CA Gun Owners Information Leak : guns (reddit.com)

Massive Trove of Gun Owners’ Private Information Leaked by California Attorney General | The Reload

New statements California leaks personal information of legal gun owners | National News | kpvi.com

[wamred]

The state of California suffered from a data breach. Just goes to show that it is always the people that are the bottom line for security.

[rockking1379]

Allow me to put my tin foil hat on for a moment.  
 

Given California’s very staunch anti-2A stance, this was done on purpose to give access to anti gun groups but with an easy way to cover it up. 
 

back to reality. This is really bad and I don’t see any calls for whoever discovered the issue to be prosecuted like in Missouri. At least not yet I suppose. 

[AnonymousGuy]

This is one of a few reasons why a national registry can not exist, by law.   (also there's not really any public benefit served by having a registry, let alone a public one)

 

So good job CA, you're going to be cited by every court case now in other states that want to set up a registry.

[Arika]

Get the Missouri governor in, all these people are hacking!!!!!!

[Serin]

lol

[shermantanker]

2 hours ago, AnonymousGuy said:

This is one of a few reasons why a national registry can not exist, by law.   (also there's not really any public benefit served by having a registry, let alone a public one)

 

So good job CA, you're going to be cited by every court case now in other states that want to set up a registry.

some things should not be digitized...

[suicidalfranco]

10 hours ago, AnonymousGuy said:

This is one of a few reasons why a national registry can not exist, by law

What could possibly go wrong, there should also be a registry of every citizen, detailing name, surname, age, residence and religion.

Never been done before.

[Brooksie359]

11 hours ago, AnonymousGuy said:

This is one of a few reasons why a national registry can not exist, by law.   (also there's not really any public benefit served by having a registry, let alone a public one)

 

So good job CA, you're going to be cited by every court case now in other states that want to set up a registry.

You realize that this isn't even as bad as some of the leaks done by credit agencies and other leaks that resulted in people's social security numbers being leaked along with alot of other data. What you are basically saying is no data should be stored with people's info period because there could be a leak. 

[HomeBoi]

11 hours ago, AnonymousGuy said:

This is one of a few reasons why a national registry can not exist, by law.   (also there's not really any public benefit served by having a registry, let alone a public one)

 

So good job CA, you're going to be cited by every court case now in other states that want to set up a registry.

Weeeeell public records of any kind usually tend to be helpful, at least there should be one for the gov that all agencies can access.

[Beerzerker]

5 hours ago, suicidalfranco said:

What could possibly go wrong, there should also be a registry of every citizen, detailing name, surname, age, residence and religion.

Never been done before.

Yes it has and already taken care of - It's called Facebook.

[suicidalfranco]

1 hour ago, Beerzerker said:

Yes it has and already taken care of - It's called Facebook.

Facebook doesn't hold a record of the entire population of a nation, nor does it forces anyone to sign up to it like a government would

[FakeNSA]

As much as I love Hanlon's Razor, this seems so breathtakingly poorly thought out as to require malicious intent.

 

Damn.

[AnonymousGuy]

9 hours ago, Brooksie359 said:

You realize that this isn't even as bad as some of the leaks done by credit agencies and other leaks that resulted in people's social security numbers being leaked along with alot of other data. What you are basically saying is no data should be stored with people's info period because there could be a leak. 

This deals with requiring you to be publicly visible for your use of a constitutional right, significantly different than a credit company having phone-book information.  It's no different than requiring a registry of your political opinions, sexual preference, etc etc that are all covered by another constitutional right.  The reason everyone would scoff at that is because the obvious: there's no benefit for it beyond enabling easier harassment.  

 

Point being: this information is more "sacred" than info your average creditor has.  Imagine if this were a medical record dump...

[Brooksie359]

42 minutes ago, AnonymousGuy said:

This deals with requiring you to be publicly visible for your use of a constitutional right, significantly different than a credit company having phone-book information.  It's no different than requiring a registry of your political opinions, sexual preference, etc etc that are all covered by another constitutional right.  The reason everyone would scoff at that is because the obvious: there's no benefit for it beyond enabling easier harassment.  

 

Point being: this information is more "sacred" than info your average creditor has.  Imagine if this were a medical record dump...

You realize the credit companies leaked social security numbers right? Idk about you but ssn is much more important than basically all the info that was leaked and the ironic part is that credit companies have access to this info even if you have never used them. And again my point is that your argument is that we shouldn't collect and save data because it could be leaked when the real problem isn't the collecting and saving data part. The problem is security protocols around protecting that info are basically nonexistent in this case and resulted in the leak. Sure you can say if you don't collect the data then it can't be leaked but you can bet that the government has alot of data collected on its citizens be it through the irs or even your drivers license and to not address the poor security protocols that resulted in this leak will likely result in more such leaks just from different data pools. 

[Ydfhlx]

11 hours ago, suicidalfranco said:

What could possibly go wrong, there should also be a registry of every citizen, detailing name, surname, age, residence and religion.

TBH for 80% of people this information is easily found on social media, placed there by them xd

 

Nevertheless, for remaining 20%, or for more private info - the only way for such information to not be stolen from public servers is for it to not be there at all.

[Beerzerker]

11 hours ago, suicidalfranco said:

Facebook doesn't hold a record of the entire population of a nation, nor does it forces anyone to sign up to it like a government would

Anyone on the web is tracked, whether you are a member of FB or not.
Maybe not for 100% of the population but it's not very far off.
It will build profile of anyone on the web via hardware profiling, adware along with other means and gather bits of info, more than enough to determine who you are and the rest.

FB is essentially a profiling engine, that's what it's for and how it's implemented. I mean how and why does Zuckelberg have the "Influence" he has within gov circles?
I mean think about it for a sec.

SEVERAL lawsuits over time about it and here's a sampling of these going at least as far back as 2011.

U.S. Supreme Court rebuffs Facebook appeal in user tracking lawsuit

Facebook tracking cookie returns, according to hacker | ZDNet

Court Rules Facebook Widgets Can Be Considered Wiretaps

And this one stated FB does indeed track everyone, even those that's never had a FB account at all in addition to the rest: Facebook admits tracking users and non-users off-site | Facebook | The Guardian

As one may figure this is only the tip of the Iceberg, demonstrates this has been going on for years and you can bet it still does for any and everyone they can profile and track. 

[Heliian]

3 hours ago, AnonymousGuy said:

constitutional right,

LOL, what does that even mean anymore?  

 

Does anyone even know the meaning of the word amendment?  

 

[Brooksie359]

1 hour ago, Ydfhlx said:

TBH for 80% of people this information is easily found on social media, placed there by them xd

 

Nevertheless, for remaining 20%, or for more private info - the only way for such information to not be stolen from public servers is for it to not be there at all.

I would beg to differ. Basically all major leaks were the result of poor security protocols or a major mess up by someone with high clearance. Having info on servers doesn't mean it will be leaked they just need to Handel the info properly. There are tons of servers full of people's info but you don't see them getting hacked because they actually follow a good security protocol. 

[Taf the Ghost]

2 hours ago, Brooksie359 said:

I would beg to differ. Basically all major leaks were the result of poor security protocols or a major mess up by someone with high clearance. Having info on servers doesn't mean it will be leaked they just need to Handel the info properly. There are tons of servers full of people's info but you don't see them getting hacked because they actually follow a good security protocol. 

The CC list is a massive issue. The State of CA just gave out the home addresses of almost every cop & judge. This is a great way to build trust among institutions themselves. Brilliant! 

Someone needs to serve time for this incompetence, if it really was just left there in plaintext.

[Mister Woof]

Highly doubtful this was intentional. Someone in IT probably made a mistake and here we are.

 

Data breaches cost the state money. They won't do this on purpose.

 

That said, I'm affected, which sucks. Let my CCW expire several years ago because it was too restrictive to be useful anyway.

 

[Brooksie359]

5 hours ago, Taf the Ghost said:

The CC list is a massive issue. The State of CA just gave out the home addresses of almost every cop & judge. This is a great way to build trust among institutions themselves. Brilliant! 

Someone needs to serve time for this incompetence, if it really was just left there in plaintext.

Like I said the list isn't the issue. The leaking of the list is the issue. Clearly this was extreme negligence to keep it as plain text and honestly I feel like this is just a part of a bigger issue where security for important information is not nearly good enough currently and needs to be take way more seriously as this isn't the first time super sensitive info was stored as plain text resulting in an inevitable leak. 

[Sauron]

On 6/28/2022 at 8:55 PM, shermantanker said:

This is obviously a major security risk for Californians, especially celebrities, judges, and law enforcement

Is it? You can generally find out pretty easily where people live... obviously this is a baffling display of incompetence but I don't know if the consequences are as bad as you make them out to be - it could have been much more sensitive data.

 

Also the right to privacy of US citizens was basically just waived from the constitution so... you probably can't even sue them for this anymore.

[williamcll]

I be they did this deliberately just to blackmail firearms owners.

[Taf the Ghost]

4 hours ago, Brooksie359 said:

Like I said the list isn't the issue. The leaking of the list is the issue. Clearly this was extreme negligence to keep it as plain text and honestly I feel like this is just a part of a bigger issue where security for important information is not nearly good enough currently and needs to be take way more seriously as this isn't the first time super sensitive info was stored as plain text resulting in an inevitable leak. 

There's Incompetence, Malicious Incompetence and Engineered Incompetence. The problem we have is that the information is way too politically charged (at least in CA; in other States it'd be basically a "don't rob those houses" list), so it has to be worked out which version of Incompetence it was. The first is unlikely, given the reality that there are standards & practices that are supposed to be met. The other two options are the ways activists cause problems in a lot of places. Either by intentionally doing bad practices or putting in place someone that is understood to mess something up. The power of this approach is that the paper trail will just show incompetence. It can be blamed on many things except the people actually responsible.

To be clear, the State of California just doxxed basically everyone involved in Law Enforcement & most Judges. Given the current activist movements of trying to basically remove all criminal prosecutions, there's very little room to view this as purely an accident. While this isn't catastrophic, it's going to get some people killed and there needs to be serious consequences laid upon the entire department for this.