Independent Report Reveals Negligence That Led To Massive California Gun Owner Information Breach
California Governor Gavin Newsom signs legislation that allows people to sue gun manufacturers Santa Monica , CA - July 22: California Attorney General Rob Bonta speaks during a news conference on gun legislation Friday, July 22, 2022 at Santa Monica College where five people were shot and killed in 2013 by a gunman. (Photo by Hans Gutknecht/MediaNews Group/Los Angeles Daily News via Getty Images) MediaNews Group/Los Angeles Daily News via Getty Images / Contributor
Photo by Hans Gutknecht/MediaNews Group/Los Angeles Daily News/Contributor via Getty Images

The California Department of Justice released a report from an outside investigation concerning the massive data breach of gun owner information that took place in June.

The independent investigation, carried out by a team of independent legal experts, as well as forensic cyber specialists, found that the leak of data was “unacceptable,” but also “unintentional,” according to a press release from the Office of California Attorney General Rob Bonta.

It was caused by “a number of deficiencies within DOJ,” which included “lack of training, expertise, and professional rigor; insufficient documentation, policies, and procedures; and inadequate oversight.”

The investigation revealed that “some confidential personal data of roughly 192,000 individuals who applied for a concealed carry weapons (CCW) permit from approximately 2012-2021 was unintentionally disclosed due to the incident.”

The breach took place shortly after the Supreme Court decided that Americans have the right to publicly carry guns. The report ultimately discovered that actions taken by an analyst, a team, and DOJ supervisors led to the breach.

The dataset with private personal information “was downloaded approximately 2,734 times, in full or in part, across 507 unique IP addresses,” according to the report, but the number of people who saw the information could be even higher. “The investigation could not accurately determine the number of public visitors who may have only viewed, but did not download, the underlying dataset,” it added.

The report also provided details about the information that was released. Attorney General Rob Bonta received a message on Twitter alerting him that the personal data was made public, “including addresses and dates of birth for CCW permit holders.”

The report also stated that “the CCW-related data included data for the years 2012 to 2021 and included the following fields: name, date of birth, street address associated with the permit, gender, race, county, CCW License Number, status of CCW applications, and California’s Criminal Identification and Information/State Identification number.”

Alan Gottlieb, executive vice president of the Second Amendment Foundation, told The Daily Wire over email that the intentionality of the release doesn’t matter.

“It does not matter if the breach of personal gun owners data was intentional or not. It still amounts to a [grave] invasion of personal privacy. If a private entity allowed this violation to occur they would be held responsible for heavy monetary damages. The state of California should be held to the same standard,” Gottlieb said.

Sam Paredes, the executive director of Gun Owners of California, said the report was appalling and showed deep negligence on the part of Attorney General Rob Bonta.

“The report is scathing in reporting the lack of accountability and proper management practices and review procedures and documentation,” he said.

“We are calling on the Attorney General to fire the inept and negligent staff that allowed this to happen, including analysts and supervisors,” Paredes told The Daily Wire.

His group is also letting people know what legal action they can take.

“We are educating people whose identity has been released as to what their legal options are,” he said, adding that damages sought against the Attorney General because of the breach “could include paying for new or updated security systems of people’s homes and businesses, more robust personal identification security offers to those who have been affected, and emotional damages.”

The implications of the breach also involve cybersecurity and data concerns.

Dr. Aaron Brantly, associate professor at Virginia Tech, and director of Tech4Humanity Lab, has written and co-authored several books regarding cybersecurity.

Brantly told The Daily Wire over email that “[t]he accidental release of information on CCW permit applicants is another in a long line of data disclosures by both private and public entities.”

He said these types of releases are not unique to governmental bodies, but instead “highlight the continuing challenge of staffing and providing trained personnel to manage complex digital systems.”

“Any release of PII poses inherent potential security risks to individuals including but not limited to identify theft. Individuals whose data was disclosed will likely be offered security monitoring services. At present the types of data released have not been disclosed,” he wrote. “The security risks posed by the release are highly dependent on the types of data released. The unwanted disclosure of CCW permit application, approval, or denial might also potentially have adverse effects on individuals across a broad range of use/needs cases.”

“The State of California DOJ should be aware that this unintentional disclosure might have particularly adverse impacts on certain individuals,” he added.

When asked about the specific personal information that was revealed, and whether it impacts his response or cybersecurity concerns, Brantly said it does not, adding, “[a]ll of the same cybersecurity concerns remain.”

“The real question is how long was the data publicly accessible and how many times was it downloaded and by whom,” he added. “If it was downloaded is it now publicly available elsewhere, i.e. on the dark web?”

Andreas Grant, a network engineer and founder of Networks Hardware, told The Daily Wire that the key to solving the problem is training people better. 

“No matter how secure a cloud infrastructure is, one can never achieve hundred percent security. But having untrained people run things means leaving a door of vulnerability wide open. It’s just plain and simple ignorance from the officials running the website. They ‘thought’ they were posting anonymous data publicly which was clearly not the case,” Grant noted over email. “The worst and also the most important part here is the employees who were in charge. None of the employees there actually had the knowledge to implement proper security settings.”

“As a Network Security Engineer, I am always worried about how both government and small businesses are handling cybersecurity issues these days. They want people with very little IT knowledge to handle the security aspect which then leads to incidents like this one,” Grant said.

Jake Denton, a Tech Policy Center research associate at The Heritage Foundation, told The Daily Wire over email, “[t]he egregious deficiencies highlighted in this report reflect the broader challenges we are facing as a country in the domain of cybersecurity.”

“As of June, it has been reported that there are over 700 thousand unfilled cyber security positions across all sectors of the United States economy. As the threat of cyber-attacks against the United States continues to grow, our country is clearly underequipped and ill-prepared to defend our data,” he added. 

The implications for conservatives are especially concerning, Will Thibeau, a Tech Policy Center policy analyst at The Heritage Foundation, told The Daily Wire.

“Mistakes and accidents seem to only happen to conservatives these days,” Thibeau said over email. “California’s gross violation of citizens’ expectation of data privacy must alert conservatives to the reality of information security.”

Brandon Drey contributed to this report. 

The Daily Wire   >  Read   >  Independent Report Reveals Negligence That Led To Massive California Gun Owner Information Breach