SACRAMENTO, Calif. — California’s Department of Justice mistakenly posted the names, addresses and birthdays of nearly 200,000 gun owners on the internet because officials didn’t follow policies or understand how to operate their website, according to an investigation released Wednesday.
The investigation, conducted by an outside law firm hired by the California Department of Justice, found that personal information for 192,000 people was downloaded 2,734 times by 507 unique IP addresses during a 12-hour period in late June. All of those people had applied for a permit to carry a concealed gun.
The data was exposed just days after the U.S. Supreme Court ruled that people have a right to carry guns in public. The decision invalidated a California law that said people must give a reason for wanting to carry a concealed weapon. Lawmakers tried to pass new restrictions for concealed carry permits, but failed.
Investigators said they “did not uncover any evidence that the timing of the (data breach) was driven by a nefarious intent or was personally or politically motivated in any way.” Instead, state officials planned to publish what they thought was anonymous data “to meet anticipated heightened public interest in firearms-related data” following the court ruling.
An intentional breach of personal information carries more stiff fines and penalties under California law, according to Chuck Michel, an attorney and president of the California Rifle &Pistol Association. The association is preparing a lawsuit against the state and is encouraging people impacted by the exposure to talk with an attorney about filing their own lawsuits. Michel noted the leaked data likely included information from people in sensitive positions — including judges, law enforcement personnel and domestic violence victims — who had sought gun permits.
“There is a lot of gaps and unanswered questions, perhaps deliberately so, and some spin on this whole notion of whether this was an intentional release or not,” he said. “This is not the end of the inquiry.”
The Department of Justice contracted with the Morrison Foerster law firm to investigate the data exposure. The firm said it had “the mandate and autonomy to conduct an independent investigation that followed the facts and evidence wherever they led.”
Officials at the California Department of Justice did not know about the breach until someone sent Attorney General Rob Bonta a private message on Twitter that included screenshots of the personal information that was available to download from the state’s website, the investigation said.
State officials thought the report was a hoax. Two unnamed employees — identified only as “Data Analyst 1” and “Research Center Director” — investigated and mistakenly assured everyone that no personal information was publicly available. Meanwhile, the website crashed because so many people were trying to download the data. The website was working again at about 9:30 p.m.
State officials would not disable the website until noon the next day. By then, information had already been downloaded thousands of times.
State officials thought they were providing anonymous data for research and media requests about the use of guns in California. But the employee who created the website included several datasets that contained personal information. Investigators found that no one — neither employees who compiled the data nor the officials that supervised — knew the proper security settings to prevent the data from being available for public download.