A massive leak of personal information from a California state database for permits to carry concealed weapons is larger than initially reported, officials said Wednesday.
The revelation came a day after the Fresno County Sheriff’s Office said it was informed of a data breach affecting every person with a California concealed-carry permit.
On Wednesday, the California Department of Justice said the leak was more extensive, affecting not only current permit holders but anybody who was granted or denied a permit to carry a concealed weapon between 2011 and 2021.
The data were exposed when the Department of Justice updated its Firearms Dashboard Portal on Monday, state Atty. Gene. Rob Bonta’s office said in a statement.
The information included names, dates of birth, gender, race, driver’s license numbers, addresses and criminal histories, according to the statement. Social Security numbers and financial information were not exposed.
In addition to information from the concealed-carry permit applications, data on the Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate and Gun Violence Restraining Order dashboards were “also impacted,” Bonta’s office said, but authorities are investigating whether any personally identifiable information was exposed from those dashboards.
“This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” Bonta said. “I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary.”
The Justice Department is entrusted to protect Californians and their data, he said, adding that he was “deeply disturbed and angered.”
The California State Sheriffs’ Assn. said it was “alarmed” to learn of the breach.
“It is infuriating that people who have been complying with the law have been put at risk by this breach,” said Butte County Sheriff Kory Honea, the association’s president. “California’s sheriffs are very concerned about this data breach and the risk it poses to California’s CCW permit holders.”
All California law enforcement agencies that issue concealed-carry permits are required to provide “certain information” about permit holders to the Justice Department, “which in turn is required to safeguard that information,” according to a statement by the sheriffs’ association.
“It appears that before the breach was detected by DOJ, the information was copied and at least some portion of it was posted on the internet,” the statement said.
Justice Department officials said the data were exposed for less than 24 hours.
The department had posted updates to the portal Monday afternoon and was later made aware “of a disclosure of personal information that was accessible in a spreadsheet on the portal,” the agency’s statement said. Officials removed the information from public view and shut down the firearms dashboard Tuesday morning.
The California Rifle and Pistol Assn. called the incident “a privacy breach of stunning proportions.”
The association demanded that the Justice Department not restore the dashboard until it’s certain no private information can be accessed.
Leaked data puts thousands of people at risk, including judges, prosecutors and law enforcement officers, said the firearms group, which called the breach “a massive violation of California law.”
“CRPA and our attorneys are exploring all options, up to and including litigation, to protect the privacy of California gun owners who are now in danger thanks to the DOJ,” the association said. “All citizens of California should be concerned about this type of reckless care of the data the state holds on its citizens.”
The Rifle and Pistol Assn. demanded an independent investigation into the leak and said the Justice Department had to act promptly “to be completely transparent about what occurred [and] take all steps necessary to limit the damage.”
The state dashboard was billed as a way to improve transparency and information-sharing for data related to firearms.
It contained information from the last decade on dealer records of sales, gun violence restraining orders, concealed-carry weapons permits, firearms safety certificates, assault weapons and a roster of certified handguns, according to a statement by Bonta’s office.
“DOJ seeks to balance its duties to provide gun violence and firearms data to support research efforts while protecting the personal identifying information in the data the Department collects and maintains,” the Monday statement said.
Officials will notify people affected by the data breach “and provide additional information and resources” in the coming days, the Justice Department said Wednesday.
The agency will provide credit monitoring services for those whose data were exposed by the leak and will directly contact those individuals to provide instructions on how to sign up.