Without regard to where you stand on gun control, the events in California last week are an IT and safety failure of massive proportions with no way to remedy the failure.
Three days after the media reported the breach, the California Attorney General started dribbling out incorrect information about what happened. There is still no full disclosure from the state, but there likely will be a lot of lawsuits.
Last week the California Department of Justice admitted that it had exposed the personal information of many gun owners in the state.
This was not because the system was hacked. Rather, the state did not set the permissions correctly – at least as best as we can tell since the state is not really saying – and left the private information in a new firearms dashboard publicly accessible.
Initially they said that names, birthdates, gender, race, driver’s license numbers, addresses and criminal history of people who received a concealed carry permit were exposed.
Then they said it also include those who were denied.
Then they added the states’ assault weapon registry was also exposed.
Also the handguns certified for sale database.
And the firearm certificate safety and gun violence restraining order databases.
The AG ordered an investigation and said he was deeply disturbed and angered. It is his department that was responsible for this mess. They run this dashboard.
He also said that this unauthorized release of personal information [BY HIS IT TEAM, NOT HACKERS] is unacceptable and falls far short of my expectations for this department.
At this point we don’t know if this data, which includes rape survivors, domestic violence victims, police officers, judges, prosecutors and many other people in sensitive situations, was copied – at least not from Bonta.
However, there is a lot of anecdotal information that the data has already been posted on the Internet, including in places outside the reach of U.S. legal takedown notices.
Because of crappy IT systems and ineffective security programs, the state doesn’t yet know if the data was downloaded, how many times it was downloaded or by whom. Or maybe, knowing that there will be lawsuits, they are just not saying yet.
If there is any silver lining here, the state did get the databases offline pretty much immediately after being told about the problem.
Bonta promised to take strong corrective measures where necessary, whatever that means.
Unfortunately, the AG is a politician and politicians tend to avoid anything negative, but this is not going to go away. Bonta is up for re-election this fall.
Remember, this is completely self inflicted. There was no hacker involved.
Oh, yeah, here is how the state plans to make domestic violence victims and others, who were re-victimized by the state, whole again. They plan to provide people who’s very personal data was compromised by the state with credit monitoring services. Are they really that dumb? If you are a judge and are worried about the safety of yourself and your family, how does credit monitoring help this situation.
This is, unfortunately, a breach that will be impossible to repair or recover from.
The victims here are the people who chose to follow the law. People who did not register their firearms are actually much safer.
In fairness, securing systems is hard. But it is not like the State of California is some mom and pop IT shop. And it is also important to point out that this is very sensitive data, so you would think that they would take extra care.
I don’t think people on either side of the gun control issue are going to be happy about this and privacy advocates are going to have a field day saying the government can’t be trusted with your information – which may be true.
Stay tuned – we will continue to watch this.
Credit: San Diego Union Tribune and The Guardian
