Report: California AG's leak of gun owner info was the result of incompetence, not malicious intent

Report: California AG's leak of gun owner info was the result of incompetence, not malicious intent
Data Security Breach

I’m not sure I buy the explanation, but more importantly, it’s really no excuse. The release of tens of thousands of California gun owners’ personal information shouldn’t have happened at all, and it really doesn’t matter whether or not it was done intentionally or because there are a bunch of incompetent boobs working for California Attorney General Rob Bonta; damage was done regardless of intent.

Still, Bonta is already touting the release of an investigation into the data leak conducted by an outside law firm hired by CalDOJ to investigate what happened back in June when a data portal was unveiled to the public, despite the fact that it contained all kinds of information about gun owners that’s supposed to be private. The investigation found that the records of about 192,000 concealed carry applicants and gun owners were accessed more than 2,800 times by 507 unique IP addresses during the twelve hours or so that the data was exposed.

“The improper exposure of confidential personal data by DOJ, while unacceptable, was unintentional and not connected to any nefarious purpose,” investigators wrote in their report.

An intentional breach of personal information carries more stiff fines and penalties under California law, according to Chuck Michel, an attorney and president of the California Rifle & Pistol Association. Michel said his group is preparing a class action lawsuit against the state.

“There is a lot of gaps and unanswered questions, perhaps deliberately so, and some spin on this whole notion of whether this was an intentional release or not,” he said. “This is not the end of the inquiry.”

Nor should it be, and it’s great to see that there are plans for a lawsuit on the part of the CRPA.

So how exactly did the breach occur, according to the report? It sounds like a cascade of bad decisions and sheer incompetence on the part of the AGs office.

Officials at the California Department of Justice did not know about the breach until someone sent Attorney General Rob Bonta a private message on Twitter that included screenshots of the personal information that was available to download from the state’s website, the investigation said.

State officials at first thought the report was a hoax. Two unnamed employees — identified only as “Data Analyst 1” and “Research Center Director” — investigated and mistakenly assured everyone that no personal information was publicly available.

Meanwhile, the website crashed because so many people were trying to download the data. Another group of state officials worked to bring the website back online, unaware of the data breach. They got the website working again at about 9:30 p.m., which included the personal information ready for download.

State officials would not disable the website until about noon the next day. By then, the information had already been downloaded thousands of times.

State officials thought they were providing anonymous information in the aggregate for research and media requests about the use of guns in California. But the employee who created the website included several datasets that contained personal information.

Investigators found that no one — not the employee who compiled the data or the officials that supervised the employee — knew the proper security settings to prevent the data from being made available for download by the public.

This still doesn’t add up to me. Was there no testing of the data portal beforehand? No one actually bothered to check to see that all of the data was accurate, and didn’t include information that should not be publicly disclosed?

And once the leak had been reported, what sort of investigation did “Data Analyst 1” and “Research Center Director” actually do that supposedly led them to mistakenly believe that no personal information was available through the portal? The official report contains a lot of details, but never manages to explain how and why the data sets were allegedly overlooked, even after CalDOJ had received reports that personal information was accessible on the portal’s website.

Data Analyst-1, together with the Research Center Director, probed the Firearms Dashboard to determine if there was any way public visitors to OpenJustice could access confidential personal data. Data Analyst-1 repeatedly assured and demonstrated (erroneously, as was later determined) for the Research Center Director that only aggregated, anonymized data was displayed and available to the public. Data Analyst-1 also showed the Research Center Director the underlying dataset not intended for public display, whereby the Research Center Director learned for the first time that Data Analyst-1 had unnecessarily included confidential personal data associated with CCWrelated data in the underlying dataset. Data Analyst-1 repeatedly assured the Research Center Director, however, that the underlying dataset could not be publicly accessed. Nevertheless, the Research Center Director directed Data Analyst-1 to replace the underlying dataset with one that did not include any confidential personal data. Data Analyst-1 indicated that a new dataset could be ready that same evening.

The Research Center Director then reported to the CJIS Chief that Data Analyst-1 had included confidential personal data in the underlying dataset for the Firearms Dashboard but that such data was not publicly accessible based both on Data Analyst-1’s assurances and the Research Center Director’s and Data Analyst-1’s review of the Firearms Dashboard. Relying on these assurances, but without ordering further investigation or seeking assistance from ADB or other DOJ personnel with technical expertise, the CJIS Chief assured the CDAG that no confidential personal data was publicly accessible on the Firearms Dashboard. The CJIS Chief, however, never informed the CDAG that Data Analyst-1 had included confidential personal data in the underlying dataset and that such data had not yet been removed.

At the same time that Research Center personnel were probing the claim that confidential personal data was publicly accessible on the Firearms Dashboard, ADB personnel, acting at the direction of the ADB Director, probed the cause of the Tableau server outage, along with personnel from the Technology Services Bureau (TSB), another CJIS component. The ADB and TSB personnel concluded that the outage was due to inadequate server storage capacity. Due to poor communication, however, ADB and TSB personnel addressing the Tableau server outage were not focused on or were unaware of the claim regarding public access to confidential personal data. They, along with the ADB Director and the CJIS Chief, did not recognize a possible connection between the claim that confidential personal data was publicly accessible (including available for download) on the Firearms Dashboard and the Tableau server outage.

Later that evening, relying on the assurances from the Research Center Director that confidential personal data could not be publicly accessed on the Firearms Dashboard, the CJIS Chief unilaterally decided that when the Tableau server was restored, the Firearms Dashboard (with the same underlying dataset containing confidential personal data) should go live again. The CJIS Chief also decided that, due to the late hour and resulting increased risk of error, Data Analyst-1 should wait until the following morning to upload a new underlying dataset that did not contain any confidential personal data.

Late in the night of June 27, the ADB team was able to increase the storage capacity of the Tableau server and the Firearms Dashboard was brought back online with the original underlying dataset, as directed by the CJIS Chief. Early the next morning, June 28, Data Analyst-1 uploaded a new underlying dataset to the Tableau server that did not include any confidential personal data associated with CCW-related data, thereby replacing the initial underlying dataset. The FSC, DROS, and AWR-related data, however, was not updated in that new underlying dataset.

Shortly thereafter, that same June 28 morning, DOJ personnel learned that DOJ had received additional reports that confidential personal data was publicly accessible the previous night and early morning after the Tableau server was restored and the Firearms Dashboard went live again. Accordingly, the Research Center Director and Data Analyst-1, with the assistance of the ADB Director, further probed the Firearms Dashboard. They then discovered, for the first time, a means by which public visitors could access the underlying dataset. Upon this discovery, the Research Center Director informed the CJIS Chief that confidential personal data likely had been available to the public on the Firearms Dashboard. The CJIS Chief then alerted the CDAG.

Immediately after being informed by the CJIS Chief that confidential personal data could have been accessed by the public on the Firearms Dashboard, the CDAG directed that the Firearms Dashboard be taken down, which occurred shortly before noon Pacific Time on June 28. Later that same day, at the CDAG’s direction, the entire OpenJustice website was taken offline.

Is Data Analyst 1 still employed by CalDOJ? What about the Research Center Director? If this leak really was the result of incompetence and not malicious intent, were there any consequences whatsoever for the employees who screwed up, or are they still collecting a paycheck?

The report doesn’t mention any firings, so I can only assume that all those involved in the leak are still in the good graces of Rob Bonta. I guess exposing the personal information of 192,000 concealed carry applicants is just an “oopsie”, not a fireable offense. While Bonta may believe that the release of this report is the end of the story, it sounds like the CRPA isn’t ready or willing to let it be the final word, and hopefully the courts will deliver the accountability sorely lacking in the AG’s office.