By ADAM BEAM
SACRAMENTO — California’s Department of Justice said in an investigation released Wednesday that officials mistakenly posted the names, addresses and birthdays of nearly 200,000 gun owners online because they didn’t follow policies or didn’t understand how to manage their websites.
An investigation by an outside law firm hired by the California Department of Justice found that over a roughly 12-hour period in late June, the personal information of 192,000 people was downloaded 2,734 times by 507 unique IP addresses. All of those persons applied for a permit to carry a concealed weapon.
The data comes days after the US Supreme Court ruled that people have the right to carry guns in public. The ruling invalidated a California law that required people to show a reason for wanting to carry a concealed weapon as a threat to their safety. Lawmakers then tried to pass new restrictions on concealed carry permits, but failed.
Investigators said they found “no evidence that the timing of (the data breach) was maliciously manipulated or in any way personally or politically motivated.” Instead, state officials said they planned to release the anonymous information after the court ruling “to meet the anticipated increased public interest in firearms information.”
According to Chuck Michel, president of the California Rifle and Pistol Association and an attorney, the willful breach of personal information carries stiffer fines and penalties under California law. Michel said his group is preparing a class action lawsuit against the state. He noted that the leaked information likely included information from people in sensitive positions, including judges seeking gun permits, law enforcement officers and victims of domestic violence.
“There are a lot of gaps and unanswered questions, maybe it’s intentional, and some are working on this whole idea of whether or not it was an intentional omission,” he said. “This is not the end of the investigation.”
The Justice Department contracted the law firm Morrison Foerster to investigate the data breach. The firm said it had the “authority and autonomy to conduct independent investigations based on facts and evidence wherever it takes place”.
California Department of Justice officials were unaware of the breach until someone sent Attorney General Rob Bonta a private message on Twitter that included screenshots of personal information, the investigation said.
State officials initially thought the news was fake. Two unnamed employees—identified only as “Data Analyst 1” and “Research Center Director”—investigated and mistakenly assured everyone that no private information was publicly available.
Meanwhile, the website crashed because so many people tried to download the data. Another group of government officials, unaware of the breach, worked to bring the website back online. They got the site back up and running around 9:30 p.m
State officials would not shut down the site until noon the next day. By then, the data had been downloaded thousands of times.
State officials thought they were providing aggregate information anonymously for research and media inquiries about gun use in California. But the person who created the website included several sets of data that contained personal information.
Investigators found that no one—neither the employee who compiled the data nor the officers supervising the employee—knew the necessary security settings to prevent public downloads of the data.
“This was more than a disclosure, it was a breach of trust that fell far short of my expectations and Californians’ expectations of our department,” Attorney General Bonta said. “I am deeply outraged that this incident occurred, and on behalf of the Department of Justice, I deeply apologize to those affected.”
Other information, including firearm safety certificates, sales dealer records and information from the state’s assault weapons registry, was also mistakenly released. This data includes more than 2 million people’s dates of birth, gender and driver’s license numbers, and 8.7 million gun transactions. But investigators said there wasn’t enough information in those data sets to identify anyone.
Investigators recommended more training and planning for government officials, including reviewing and updating policies and procedures.
“This failure requires immediate remediation, so we are implementing all of the recommendations in this independent report,” Bonta said.