California DOJ leak of gun owners' personal information not 'nefarious': Investigation

A June 2022 incident that resulted in the leak of concealed carry weapon holder’s personal information on a California Department of Justice dashboard was “unintentional” and “not connected to any nefarious purpose,” according to the results of an independent investigation released Wednesday.

The DOJ faced criticism over the summer after exposing the personal information of concealed carry weapon permit holders during an update of its 2022 Firearms Dashboard. For a period of less than 24 hours from June 27 to 28, public visitors to the database could access the personal information of roughly 192,000 concealed carry weapon permit applicants and holders – including full names, home addresses, dates of birth, drivers license numbers and even criminal histories.

Attorney General Rob Bonta said he was “deeply disturbed and angered” in the aftermath of the data exposure and retained a law firm to lead an independent investigation.

The results of the independent investigation, released on Wednesday, found the data exposure was “unintentional” and stemmed from a lack of training, insufficient knowledge and a lack of oversight. The investigation found that “improper exposure of confidential personal data by DOJ, while unacceptable, was unintentional and not connected to any nefarious purpose.”

According to a report outlining the investigation’s findings, a DOJ data analyst “unnecessarily uploaded” confidential personal information into the dashboard software “without the knowledge of other DOJ personnel.” Investigators said they found no evidence to suggest the analyst acted with “nefarious intent” or that “DOJ personnel intended for the public release of confidential personal data.”

“While Data Analyst-1 acted without nefarious intent, Data Analyst-1 was inattentive to established policies and procedures, lacked necessary appreciation for security risks, and had insufficient knowledge of Tableau [software platform] security settings,” the report states. “Data Analyst-1 also had inadequate training and supervision.”

Investigators also discovered the concealed carry weapon-related data containing the confidential personal information was downloaded either partially or in full around 1,467 times across 341 unique IP addresses. The DOJ has sent letters to individuals who they believe may have been impacted by the data exposure.

In response to the investigation, the DOJ has agreed to conduct a thorough review of the department’s policies on handling confidential information, enhance training on handling personal data and improving oversight over risk management by hiring a chief information security officer.

In a statement, Bonta said he remains “deeply angered this incident occurred,” calling the release of personal information “unacceptable.”

“While the report found no ill intent, this incident was unacceptable, and DOJ must be held to the highest standard,” Bonta said. “This failure requires immediate correction, which is why we are implementing all of the recommendations from this independent report.”

The Department of Justice does not have an anticipated date as to when an updated Firearms Dashboard could go live in the future, the attorney general’s office told The Center Square in an email. As part of the investigation’s recommendations on data security, the “DOJ is evaluating the future of the Firearms Dashboard and similar dashboards.”