Cybersecurity Experts Critical of California DOJ’s Response to Concealed Carry Data Breach

SACRAMENTO, CA – Cybersecurity experts interviewed by the Associated Press are painting a potentially damning portrait of the California Department of Justice’s data breach, which exposed the personal information of every citizen in the state with a concealed carry permit last Monday.

The AP article revealed that the personal information of every concealed carry owner in California was only a few clicks away from being reviewed and downloaded for an astonishing 24-hour period. As we reported to you earlier this week, the data breach occurred during the launching of the California DOJ’s 2022 Firearms Dashboard Portal.

“Given the sensitive nature of the data exposed and potential impact to those directly involved, I would expect a response in much less than 24 hours from notification to action,” Tim Marley, a vice president for risk management at Cerberus Sentinel, told the AP.

The California DOJ is also being criticized for lack of access controls “to make sure the information stayed out of the reach of unwanted parties,” Luta Security founder and CEO Kate Moussouris told the AP. Moussouris also said that the data of California’s concealed carry permit holders should have been encrypted so it would have been unusable.

Perhaps most disturbing for California concealed carry permit holders is Moussouris’ comments that the information could have been accessed by criminals to sell or use as blackmail against them possibly.

“(California Attorney General Rob) Bonta’s office has been unable to say whether and how often the databases were downloaded,” the AP reported. “Moussouris said the agency has that information if it was keeping access logs, which she called a basic and necessary step to protect sensitive data.”

Thus far, there has been no official evidence that the leaks were deliberate in nature, according to the AP. Yet, despite Bonta verbally saying he was angry over the breach and promising a full investigation, Second Amendment advocates and gun rights groups sense something amiss.

“The volume of information is so incredibly sensitive,” Sam Paredes, executive director of Gun Owners of California, told the AP. “Deputy DAs, police officers, judges, they do everything they can to protect their residential addresses,” he said. “The peril that the attorney general has put hundreds of thousands of people … in is incalculable.”

Paredes has called for Bonta’s resignation over the data breach.

OUR TAKE:

The more information revealed about what happened here and how long it took to respond to it, the more we feel justified in thinking something very shady occurred in the California DOJ. Assuming that the initial data breach resulted from simple human error/incompetence, why a 24-hour response?

While we cannot say for sure what happened, the way the California DOJ handled the initial breach and the subsequent response to it is consistent with the actions of a state that takes great efforts to let law-abiding gun owners know that they are not welcome. This message was sent loud and clear in the lackadaisical response to the breach by Bonta’s office.

As mentioned in the AP article, we hope the possible class action lawsuit proposed takes off and brings accountability.