2022 Firearms Dashboard Data Exposure

WHAT HAPPENED

On June 27 and 28, 2022, confidential personal data of certain persons was unintentionally disclosed in connection with the June 27 publication of the DOJ's Firearms Dashboard on the OpenJustice website.

After DOJ confirmed that there was a potential data exposure, DOJ removed the confidential personal data from public view and shut down the Firearms Dashboard. The exposed confidential personal data was publicly accessible for less than 24 hours from June 27-28. DOJ then promptly launched an investigation to determine how the exposure occurred and retained the law firm of Morrison Foerster to lead an independent review with the assistance of FTI, an outside cyber expert. In addition to steps it has already taken, DOJ will take strong corrective measures as necessary and appropriate based on the findings and recommendations of the investigation.

The Report of Investigative Findings and Recommendations is available here.

ABOUT THE FIREARMS DASHBOARD AND OPENJUSTICE

The mission of DOJ’s California Justice and Information Services Division (CJIS) is to provide accurate, timely, and comprehensive criminal history and analysis data to its client agencies, which include local police and sheriff’s departments, district attorneys, and local and state regulatory agencies. In addition, CJIS’s Research Center manages OpenJustice, a DOJ website that publishes criminal justice data in various formats, including interactive dashboards using a commercially-available software program called Tableau. One of those dashboards was the Firearms Dashboard, which was launched on June 27, 2022. The Firearms Dashboard displayed data visualizations derived from firearms-related data maintained by DOJ, including data regarding (1) concealed carry weapons (CCW) permits and applications, (2) Firearms Safety Certificates (FSC), (3) Dealer Record of Sale (DROS) transactions, (4) the Assault Weapons Registry (AWR), (5) Gun Violence Restraining Orders (GVRO), and (6) the Roster of Certified Handguns.

DATA EXPOSURE

After the launch of the Firearms Dashboard on OpenJustice on June 27, DOJ received reports that confidential personal data (in a dataset underlying the visualizations displayed on the Firearms Dashboard that was never intended for public display, some of which could be used to identify individuals) was publicly accessible on the Firearms Dashboard, which DOJ promptly shut down on June 28.

INVESTIGATION FINDINGS

The independent investigation found that this improper exposure by DOJ of confidential personal data accessible on the Firearms Dashboard, while unacceptable, was unintentional and not connected to any nefarious purpose. The investigation found that the data exposure was due to a lack of DOJ personnel training, requisite technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate oversight by certain supervisors. This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’s failure to meet the responsibilities with which it was entrusted as a custodian of confidential personal information.

More specifically, the investigation found that the underlying dataset used for the Firearms Dashboard unnecessarily included confidential personal data in violation of DOJ policy. The investigation found that such data was exposed due to an erroneous configuration of security settings for Tableau, the software platform that was used to create and publish the Firearms Dashboard. There is no evidence that the confidential personal data, which should not have been included in the underlying dataset, was ever intended to be displayed publicly.

The Report of Investigative Findings and Recommendations is available here.

WHAT DATA WAS EXPOSED

The data exposed included confidential personal data associated with four sets of firearms-related data: (1) concealed carry weapons (CCW) permits and applications, (2) Firearms Safety Certificates (FSC), (3) Dealer Record of Sale (DROS) transactions, and (4) the Assault Weapons Registry (AWR). Of note, Social Security Numbers and financial information were not included in the underlying dataset that was exposed.

Concealed Carry Weapons Permit Data

The investigation found that only CCW-related data, which was associated with individuals who applied for a CCW permit in approximately the years 2012-2021, contained names and other identifiers that could be used to independently identify individuals. The CCW-related data included name, date of birth, street address associated with the permit, gender, race, county, CCW License Number, status of CCW applications, and California’s Criminal Identification and Information/State Identification number (which is automatically generated during a fingerprint check and used to identify individuals in recordkeeping).

Other Firearms-Related Data

Although the exposed FSC, DROS, and AWR-related data also included personal data, the investigation found that this data did not have an associated individual name or other identifier and could not be used to independently identify individuals. Therefore, the risk from exposure of this data is limited. Information about specific data exposed from other dashboards can be found in the report here.

Since the data exposure, the investigation found no evidence of significant or continuing dissemination of the confidential personal data that was publicly accessible on the Firearms Dashboard on June 27-28.

HOW MANY PEOPLE WERE IMPACTED?

The investigation found that the confidential personal data of approximately 192,000 individuals, who applied for a CCW permit between around 2012-2021, could be used to independently identify them.

HOW THOSE AFFECTED WERE NOTIFIED

DOJ has sent letters to those identifiable individuals who may have been impacted by the data exposure. An example of the notification letter is available here.

DOJ asks that anyone who accessed or obtained the exposed confidential personal data respect the privacy of the individuals involved and destroy and not share or disseminate any of the data. In addition, possession of or use of personal identifying information for an unlawful purpose may be a crime. (See Cal. Penal Code Sec. 530.5.)

WHAT WE ARE DOING MOVING FORWARD

This public release of confidential personal data is unacceptable. DOJ removed the data from public view and shut down the Firearms Dashboard within 24 hours of the exposure. DOJ contacted individuals directly who may have been impacted to provide them with additional information and resources.

DOJ is currently implementing changes to help prevent future data exposures. Specifically, based on the recommendation of Morrison Foerster, DOJ will:

Conduct a thorough review and update of all DOJ policies and procedures regarding the handling of confidential personal data, including for both internal and external data requests, and the supervision of DOJ personnel handling such data. DOJ will use the results of that review to revise and strengthen all policies and procedures for the handling of confidential personal data, with particular attention to policies and procedures regarding supervision of personnel.
Provide enhanced trainings regarding the handling of confidential personal data, especially for DOJ personnel whose positions regularly involve the handling of such data.
Evaluate the security risk for IT solutions used for projects that involved confidential personal data. DOJ will use the results of the review to revise and strengthen all policies and procedures regarding the use of IT solutions for projects involving confidential personal data. DOJ will also provide formal training to DOJ personnel regarding the use of these solutions.
Hire a chief information security officer to improve oversight over risk management, data security, and related functions. This person will lead a team of specialists and have ultimate responsibility for data security across all DOJ components.
Develop a detailed data incident action plan for use in case of any future reports of exposure of confidential or sensitive data.
Review and revise its approval process for any project involving confidential personal data, to ensure that such review is sufficiently documented, systematic, and rigorous.

DOJ also will continue to communicate and collaborate with law enforcement partners throughout the state about this issue.

FAQ

1. Was my information exposed?

The data exposure revealed confidential personal data that could be used to independently identify individuals who applied for a CCW permit between approximately 2012-2021. DOJ previously contacted individuals directly whom it believed were impacted and provided additional information and resources for them. An example of the notification letter is available here.

For all other exposed data, although it included fields containing confidential personal data, these fields did not have an associated individual name or other identifier that could be used to independently identify individuals.

2. How did this happen?

Neither the Attorney General, nor anyone else at DOJ, authorized the release of this confidential personal data, nor was the Attorney General or anyone else at DOJ aware that it could be publicly accessed when the Firearms Dashboard was launched on June 27.

The independent review conducted by Morrison Foerster found that the improper exposure of confidential personal data by DOJ, while unacceptable, was unintentional and not connected to any nefarious purpose. The investigation found that the data exposure was due to a lack of DOJ personnel training, technical expertise, and professional rigor; insufficiently documented and implemented DOJ policies and procedures; and inadequate supervision and oversight by certain DOJ personnel.

This combination of factors resulted in errors, poor judgment, and missed opportunities by certain DOJ personnel, and ultimately, in DOJ’s failure to meet the responsibilities with which it was entrusted as a custodian of confidential personal information.

Morrison Foerster’s Report of Investigative Findings and Recommendations has been made public and is available here.

3. Were Social Security Numbers or financial information exposed?

Social Security Numbers and financial information were not disclosed in connection with the Firearms Dashboard data exposure.

4. What services are you offering impacted individuals? How do I enroll?

Out of an abundance of caution, DOJ has offered impacted individuals, at no charge, access to identity protection services through IDX, which includes: 12 months of triple-bureau credit monitoring, CyberScan dark web monitoring, a $1 million insurance reimbursement policy, and fully managed ID theft recovery services.

Additionally, any affected individual may take the following steps to immediately protect their information related to credit:

Monitor your credit. One of the best ways to protect yourself from identity theft is to monitor your credit history. To obtain free copies of your credit reports from the three major credit bureaus go to https://www.annualcreditreport.com.
Consider placing a free credit freeze on your credit report. Identity thieves will not be able to open a new credit account in your name while the freeze is in place. You can place a credit freeze by contacting each of the three major credit bureaus:
- Equifax: https://www.equifax.com/personal/credit-report-services/credit-freeze/; 888-766-0008
- Experian: https://www.experian.com/freeze/center.html; 888-397-3742
- TransUnion: https://www.transunion.com/credit-freeze; 800-680-7289
Place a fraud alert on your credit report. A fraud alert helps protect you against the possibility of someone opening new credit accounts in your name. A fraud alert lasts 90 days and can be renewed. To post a fraud alert on your credit file, you must contact one of the three major credit reporting agencies listed above. Keep in mind that if place a fraud alert with any one of the three major credit reporting agencies, the alert will be automatically added by the other two agencies as well.
Additional Resources. If you are a victim of identity theft, contact your local police department or sheriff's office right away. You may also report identity theft and generate a recovery plan using the Federal Trade Commission's website at https://www.identitytheft.gov/. For more information and resources visit the Attorney General's website at https://oag.ca.gov/idtheft.

5. What is the Firearms Dashboard?

The Firearms Dashboard on DOJ’s OpenJustice website was intended to provide the public with interactive visualizations, such as graphs displaying aggregated information, about the number of firearms and firearm-related permits approved each year, as well as other firearms-related statistics for which DOJ frequently receives information requests. The Firearms Dashboard was NEVER intended to make publicly accessible any confidential personal data associated with the data displays.

6. Was this a malicious hack? Have DOJ’s security systems been compromised? Is other personal information/data at risk?

The investigation did not uncover any evidence that an external threat actor was involved in this data exposure or that the security of DOJ’s systems was compromised in connection with this data exposure.

7. How will another data exposure be prevented?

DOJ has committed to accepting all of the investigation’s recommendations, which will prevent the unintended exposure of personal data. View these recommendations here.

Contact Us

DOJ has sent letters to those individuals whom DOJ believes may have been impacted by the data exposure. An example of the notification letter is available here.

Contact us via phone: 1-833-909-4419 (Monday-Friday, 6 a.m. - 6 p.m. PT)

Contact us online: www.oag.ca.gov/contact/general-comment-question-or-complaint-form

Who We Are

What We Do

What We're Working On

Media Center

Social Media

Career Opportunities

Organization of the Office

AG Honors Program & Geoffrey Wright Solicitor General Fellowship

For Businesses

Service on the Attorney General

Open Government

Grants

Programs

Most Popular