On June 27 and 28, 2022, confidential personal data of certain persons was unintentionally disclosed in connection with the June 27 publication of the DOJ's Firearms Dashboard on the OpenJustice website.
After DOJ confirmed that there was a potential data exposure, DOJ removed the confidential personal data from public view and shut down the Firearms Dashboard. The exposed confidential personal data was publicly accessible for less than 24 hours from June 27-28. DOJ then promptly launched an investigation to determine how the exposure occurred and retained the law firm of Morrison Foerster to lead an independent review with the assistance of FTI, an outside cyber expert. In addition to steps it has already taken, DOJ will take strong corrective measures as necessary and appropriate based on the findings and recommendations of the investigation.
The Report of Investigative Findings and Recommendations is available here.
The mission of DOJ’s California Justice and Information Services Division (CJIS) is to provide accurate, timely, and comprehensive criminal history and analysis data to its client agencies, which include local police and sheriff’s departments, district attorneys, and local and state regulatory agencies. In addition, CJIS’s Research Center manages OpenJustice, a DOJ website that publishes criminal justice data in various formats, including interactive dashboards using a commercially-available software program called Tableau. One of those dashboards was the Firearms Dashboard, which was launched on June 27, 2022. The Firearms Dashboard displayed data visualizations derived from firearms-related data maintained by DOJ, including data regarding (1) concealed carry weapons (CCW) permits and applications, (2) Firearms Safety Certificates (FSC), (3) Dealer Record of Sale (DROS) transactions, (4) the Assault Weapons Registry (AWR), (5) Gun Violence Restraining Orders (GVRO), and (6) the Roster of Certified Handguns.
After the launch of the Firearms Dashboard on OpenJustice on June 27, DOJ received reports that confidential personal data (in a dataset underlying the visualizations displayed on the Firearms Dashboard that was never intended for public display, some of which could be used to identify individuals) was publicly accessible on the Firearms Dashboard, which DOJ promptly shut down on June 28.
The independent investigation found that this improper exposure by DOJ of confidential personal data accessible on the Firearms Dashboard, while unacceptable, was unintentional and not connected to any nefarious purpose. The investigation found that the data exposure was due to a lack of DOJ personnel training, requisite technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate oversight by certain supervisors. This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’s failure to meet the responsibilities with which it was entrusted as a custodian of confidential personal information.
More specifically, the investigation found that the underlying dataset used for the Firearms Dashboard unnecessarily included confidential personal data in violation of DOJ policy. The investigation found that such data was exposed due to an erroneous configuration of security settings for Tableau, the software platform that was used to create and publish the Firearms Dashboard. There is no evidence that the confidential personal data, which should not have been included in the underlying dataset, was ever intended to be displayed publicly.
The Report of Investigative Findings and Recommendations is available here.
The data exposed included confidential personal data associated with four sets of firearms-related data: (1) concealed carry weapons (CCW) permits and applications, (2) Firearms Safety Certificates (FSC), (3) Dealer Record of Sale (DROS) transactions, and (4) the Assault Weapons Registry (AWR). Of note, Social Security Numbers and financial information were not included in the underlying dataset that was exposed.
The investigation found that only CCW-related data, which was associated with individuals who applied for a CCW permit in approximately the years 2012-2021, contained names and other identifiers that could be used to independently identify individuals. The CCW-related data included name, date of birth, street address associated with the permit, gender, race, county, CCW License Number, status of CCW applications, and California’s Criminal Identification and Information/State Identification number (which is automatically generated during a fingerprint check and used to identify individuals in recordkeeping).
Although the exposed FSC, DROS, and AWR-related data also included personal data, the investigation found that this data did not have an associated individual name or other identifier and could not be used to independently identify individuals. Therefore, the risk from exposure of this data is limited. Information about specific data exposed from other dashboards can be found in the report here.
Since the data exposure, the investigation found no evidence of significant or continuing dissemination of the confidential personal data that was publicly accessible on the Firearms Dashboard on June 27-28.
The investigation found that the confidential personal data of approximately 192,000 individuals, who applied for a CCW permit between around 2012-2021, could be used to independently identify them.
DOJ has sent letters to those identifiable individuals who may have been impacted by the data exposure. An example of the notification letter is available here.
DOJ asks that anyone who accessed or obtained the exposed confidential personal data respect the privacy of the individuals involved and destroy and not share or disseminate any of the data. In addition, possession of or use of personal identifying information for an unlawful purpose may be a crime. (See Cal. Penal Code Sec. 530.5.)
This public release of confidential personal data is unacceptable. DOJ removed the data from public view and shut down the Firearms Dashboard within 24 hours of the exposure. DOJ contacted individuals directly who may have been impacted to provide them with additional information and resources.
DOJ is currently implementing changes to help prevent future data exposures. Specifically, based on the recommendation of Morrison Foerster, DOJ will:
DOJ also will continue to communicate and collaborate with law enforcement partners throughout the state about this issue.
The data exposure revealed confidential personal data that could be used to independently identify individuals who applied for a CCW permit between approximately 2012-2021. DOJ previously contacted individuals directly whom it believed were impacted and provided additional information and resources for them. An example of the notification letter is available here.
For all other exposed data, although it included fields containing confidential personal data, these fields did not have an associated individual name or other identifier that could be used to independently identify individuals.
Neither the Attorney General, nor anyone else at DOJ, authorized the release of this confidential personal data, nor was the Attorney General or anyone else at DOJ aware that it could be publicly accessed when the Firearms Dashboard was launched on June 27.
The independent review conducted by Morrison Foerster found that the improper exposure of confidential personal data by DOJ, while unacceptable, was unintentional and not connected to any nefarious purpose. The investigation found that the data exposure was due to a lack of DOJ personnel training, technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate supervision and oversight by certain DOJ personnel.
This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’s failure to meet the responsibilities with which it was entrusted as a custodian of confidential personal information.
Morrison Foerster’s Report of Investigative Findings and Recommendations has been made public and is available here.
Social Security Numbers and financial information were not disclosed in connection with the Firearms Dashboard data exposure.
Out of an abundance of caution, DOJ has offered impacted individuals, at no charge, access to identity protection services through IDX, which includes: 12 months of triple-bureau credit monitoring, CyberScan dark web monitoring, a $1 million insurance reimbursement policy, and fully managed ID theft recovery services.
Additionally, any affected individual may take the following steps to immediately protect their information related to credit:
The Firearms Dashboard on DOJ’s OpenJustice website was intended to provide the public with interactive visualizations, such as graphs displaying aggregated information, about the number of firearms and firearm-related permits approved each year, as well as other firearms-related statistics for which DOJ frequently receives information requests. The Firearms Dashboard was NEVER intended to make publicly accessible any confidential personal data associated with the data displays.
The investigation did not uncover any evidence that an external threat actor was involved in this data exposure or that the security of DOJ’s systems was compromised in connection with this data exposure.
DOJ has sent letters to those individuals whom DOJ believes may have been impacted by the data exposure. An example of the notification letter is available here.
Contact us via phone: 1-833-909-4419 (Monday-Friday, 6 a.m. - 6 p.m. PT)
Contact us online: www.oag.ca.gov/contact/general-comment-question-or-complaint-form