Independent Report Reveals Negligence That Led To Massive California Gun Owner Information Breach

The California Department of Justice released a report from an outside investigation concerning the massive data breach of gun owner information that took place in June.

The independent investigation, carried out by a team of independent legal experts, as well as forensic cyber specialists, found that the leak of data was “unacceptable,” but also “unintentional,” according to a press release from the Office of California Attorney General Rob Bonta.

It was caused by “a number of deficiencies within DOJ,” which included “lack of training, expertise, and professional rigor; insufficient documentation, policies, and procedures; and inadequate oversight.”

The investigation revealed that “some confidential personal data of roughly 192,000 individuals who applied for a concealed carry weapons (CCW) permit from approximately 2012-2021 was unintentionally disclosed due to the incident.”

The breach took place shortly after the Supreme Court decided that Americans have the right to publicly carry guns. The report ultimately discovered that actions taken by an analyst, a team, and DOJ supervisors led to the breach.

The dataset with private personal information “was downloaded approximately 2,734 times, in full or in part, across 507 unique IP addresses,” according to the report, but the number of people who saw the information could be even higher. “The investigation could not accurately determine the number of public visitors who may have only viewed, but did not download, the underlying dataset,” it added.

The report also provided details about the information that was released. Attorney General Rob Bonta received a message on Twitter alerting him that the personal data was made public, “including addresses and dates of birth for CCW permit holders.”

The report also stated that “the CCW-related data included data for the years 2012 to 2021 and included the following fields: name, date of birth, street address associated with the permit, gender, race, county, CCW License Number, status of CCW applications, and California’s Criminal Identification and Information/State Identification number.”

Alan Gottlieb, executive vice president of the Second Amendment Foundation, told The Daily Wire over email that the intentionality of the release doesn’t matter.

“It does not matter if the breach of personal gun owners data was intentional or not. It still amounts to a [grave] invasion of personal privacy. If a private entity allowed this violation to occur they would be held responsible for heavy monetary damages. The state of California should be held to the same standard,” Gottlieb said.

Sam Paredes, the executive director of Gun Owners of California, said the report was appalling and showed deep negligence on the part of Attorney General Rob Bonta.

“The report is scathing in reporting the lack of accountability and proper management practices and review procedures and documentation,” he said.

“We are calling on the Attorney General to fire the inept and negligent staff that allowed this to happen, including analysts and supervisors,” Paredes told The Daily Wire.

His group is also letting people know what legal action they can take.

“We are educating people whose identity has been released as to what their legal options are,” he said, adding that damages sought against the Attorney General because of the breach “could include paying for new or updated security systems of people’s homes and businesses, more robust personal identification security offers to those who have been affected, and emotional damages.”

The implications of the breach also involve cybersecurity and data concerns.

Dr. Aaron Brantly, associate professor at Virginia Tech, and director of Tech4Humanity Lab, has written and co-authored several books regarding cybersecurity.

Brantly told The Daily Wire over email that “[t]he accidental release of information on CCW permit applicants is another in a long line of data disclosures by both private and public entities.”

He said these types of releases are not unique to governmental bodies, but instead “highlight the continuing challenge of staffing and providing trained personnel to manage complex digital systems.”

“Any release of PII poses inherent potential security risks to individuals including but not limited to identify theft. Individuals whose data was disclosed will likely be offered security monitoring services. At present the types of data released have not been disclosed,” he wrote. “The security risks posed by the release are highly dependent on the types of data released. The unwanted disclosure of CCW permit application, approval, or denial might also potentially have adverse effects on individuals across a broad range of use/needs cases.”

“The State of California DOJ should be aware that this unintentional disclosure might have particularly adverse impacts on certain individuals,” he added.

When asked about the specific personal information that was revealed, and whether it impacts his response or cybersecurity concerns, Brantly said it does not, adding, “[a]ll of the same cybersecurity concerns remain.”

“The real question is how long was the data publicly accessible and how many times was it downloaded and by whom,” he added. “If it was downloaded is it now publicly available elsewhere, i.e. on the dark web?”