California’s attorney general said Wednesday he has launched an investigation into how the personal information of thousands of individuals who have sought or obtained concealed and carry weapons permits over the last decade was exposed online to the public.
The California Department of Justice said that personal information was disclosed in connection with the June 27 update of its Firearms Dashboard Portal.
“This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” said Attorney General Rob Bonta. “I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary. The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered.”
Based on the department’s current investigation, the incident exposed the personal information of individuals who were granted or denied a concealed and carry weapons, or CCW, permit between 2011 and 2021.
Officials said information exposed included names, date of birth, gender, race, driver’s license number, addresses and criminal history.
Social Security numbers or any financial information were not disclosed as a result of this event, Bonta’s office said.
Additionally, data from the following Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Certificate Safety and Gun Violence Restraining Order dashboards were impacted.
The California State Sheriffs’ Association said it is alarmed to learn of the data breach and it issued an alert to make CCW permit holders aware of the situation so they can take appropriate precautions.
"It is infuriating that people who have been complying with the law have been put at risk by this breach," said CSSA President and Butte County Sheriff Kory Honea. "California’s sheriffs are very concerned about this data breach and the risk it poses to California’s CCW permit holders."
CSSA said it will continue to engage with DOJ in an effort to ensure that the risk to CCW permit holders is mitigated and a breach of this nature does not happen again.
The DOJ is investigating the extent to which any personally identifiable information could have been exposed from those dashboards and will report additional information as soon as confirmed.
In the coming days, the department said it will notify those individuals whose data was exposed and provide additional information and resources.
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.
Lauren Berlinn, spokesperson for the Lake County Sheriff’s Office, said that agency had no further information on the matter beyond statements made by the DOJ and the California State Sheriffs’ Association regarding the breach, so couldn’t answer how many Lake County residents had their information exposed.
When the exposure occurred; actions to take to protect against fraud
The DOJ’s Wednesday report said that on the afternoon of June 27, the agency posted updates to the Firearms Dashboard Portal.
DOJ was made aware of a disclosure of personal information that was accessible in a spreadsheet on the portal.
After DOJ learned of the data exposure, the department took steps to remove the information from public view and shut down the Firearms Dashboard on Tuesday morning. The dashboard and data were available for less than 24 hours.
DOJ asks that anyone who accessed such information respect the privacy of the individuals involved and not share or disseminate any of the personal information.
In addition, possession of or use of personal identifying information for an unlawful purpose may be a crime; see Cal Penal Code Sec. 530.5.
Bonta’s office said it is communicating with law enforcement partners throughout the state. In collaboration, DOJ will provide support to those whose information has been exposed.
In an abundance of caution, the Department of Justice will provide credit monitoring services for individuals whose data was exposed as a result of this incident. DOJ will directly contact individuals who have been impacted by this incident and will provide instructions to sign up for this service.
Any Californian may take the following steps to immediately protect their information related to credit:
• Monitor your credit. One of the best ways to protect yourself from identity theft is to monitor your credit history. To obtain free copies of your credit reports from the three major credit bureaus go to https://www.annualcreditreport.com.
• Consider placing a free credit freeze on your credit report. Identity thieves will not be able to open a new credit account in your name while the freeze is in place. You can place a credit freeze by contacting each of the three major credit bureaus:
Equifax: https://www.equifax.com/personal/credit-report-services/credit-freeze/; 888-766-0008
Experian: https://www.experian.com/freeze/center.html; 888-397-3742
TransUnion: https://www.transunion.com/credit-freeze; 800-680-7289
• Place a fraud alert on your credit report. A fraud alert helps protect you against the possibility of someone opening new credit accounts in your name. A fraud alert lasts 90 days and can be renewed. To post a fraud alert on your credit file, you must contact one of the three major credit reporting agencies listed above. Keep in mind that if place a fraud alert with any one of the three major credit reporting agencies, the alert will be automatically added by the other two agencies as well.
• Additional resources. If you are a victim of identity theft, contact your local police department or sheriff’s office right away. You may also report identity theft and generate a recovery plan using the Federal Trade Commission’s website at www.identitytheft.gov.
• For more information and resources visit the attorney general’s website at www.oag.ca.gov/idtheft.