Personal information from concealed-weapon permits was downloaded from a California Department of Justice Firearms Dashboard more than 2,700 times before it was removed this summer, according to an investigation commissioned by the agency. A report, released Wednesday, determined that the names, birthdays, addresses and other details of roughly 192,000 people were left unprotected. The law firm Morrison Foerster said there was no evidence that the disclosure was intentional. Instead, its inquiry found that lack of training, poor oversight and inadequate policies and procedures were factors in the embarrassing release.
It occurred in June, after the Department of Justice published an online tool meant to display aggregated firearms-related data. But visitors were also able to download underlying data, which included confidential information. In a statement Wednesday, state Attorney General Rob Bonta said: “This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department.”
The report traced the cause of the exposure back to an agency analyst, who months earlier had been assigned to create the new dashboard. The data was intended to be displayed in an interactive way, using charts. To build the dashboard the analyst — who was not named in the report — created a data set drawn from multiple agency sources. It included information about concealed weapon permit applicants. The report faulted the analyst for including confidential details in that underlying data set. It said the employee erroneously believed the public would not be able to access the information. It also said other agency staff could have done more to confirm whether that was true.
The agency published the dashboard shortly after noon on June 27. It appeared on its OpenJustice website, which houses state data related to matters like homicides and arrests. That evening, Bonta received messages on Twitter claiming that personal information about concealed-weapon permit holders was available in the newly released data. He quickly notified a deputy and his chief of staff, the report said. Before agency staff could fully investigate, a server outage caused problems with the OpenJustice website. The report found that it was due to users trying to download the newly published data.
When the Firearms Dashboard was restored that night, agency officials believed the personal information was secure. They were wrong, the investigation found. The decision to restore the website, made by an unnamed information services official, “proved to be a compounding error.” The vast majority of downloads of the confidential information occurred after the dashboard was restored, the report said. By noon on June 28, the agency had removed the dashboard. Later that evening, it took the OpenJustice website offline.
Morrison Foerster said it was unable to accurately determine how many times the personal data was viewed but not downloaded. Its investigation included searches on social media platforms and message boards to see whether the confidential information was shared. It found that some was disclosed around the time of the exposure but had mostly been removed or deleted. When asked whether any agency employees had been disciplined as a result of the investigation, a spokesperson for the Attorney General’s office Wednesday declined to comment on personnel matters. The spokesperson said in an email that the office “will take appropriate corrective action to prevent this from happening again.” The report recommended that the Department of Justice review its handling of confidential information, improve training and evaluate other potential security risks.
Bonta said the agency was implementing all the recommendations. He apologized to those whose information was exposed, saying he was still “deeply angered” by what had occurred.
Assemblyman Jim Patterson, R-Fresno, who called for an audit of the Department of Justice after the exposure, also expressed his unhappiness.
“Intended or not, this was an outrageous breach of private information that could have placed people in danger,” he said in a statement Wednesday. “Saying you’re sorry and it won’t happen again isn’t good enough. It should never have happened in the first place.”