Investigators Say Leak Of Gun Owners’ Personal Information Was ‘Unintentional’

In June, the California Department of Justice leaked thousands of concealed carry weapon holders’ personal information. An independent investigation into the leak recently concluded that the incident was “unintentional.”

On June 27, public visitors to the DOJ database could access the personal information of 192,000 concealed carry weapon permit applicants and holders — including full names, addresses, dates of birth, driver’s license information, and even some criminal histories.

In the aftermath of the data display, Attorney General Rob Bonta retained a law firm to investigate. The investigation results found the exposure to be “unintentional,” stemming from a lack of employee training and knowledge with insufficient oversight.

The official report said, “improper exposure of confidential personal data by DOJ, while unacceptable, was unintentional and not connected to any nefarious purpose.”

According to investigative reports, several employees made mistakes that led to the information leak. One DOJ analyst uploaded confidential information into the dashboard software without the knowledge of their supervisors — “unintentionally.” But investigators said they had no evidence the employee had a motive or “nefarious intent.”

The employee was found to be inattentive to policies and procedures, skipped security corners often, and had insufficient knowledge of the software security platform the DOJ uses — which apparently led to the employee needlessly uploading confidential information without being told to. The report mentioned that the employee who caused the data outbreak had inadequate training and poor supervision. And, apparently, they were also very ambitious, doing extra work without being instructed to.

The DOJ has sent letters to individuals potentially impacted by the exposure after investigators found some leaked information was downloaded around 1,467 times across 341 IP addresses.

A thorough review of the department’s policies and procedures will reportedly be conducted. The department also promised to enhance training on handling data and hire a chief information security officer to improve its quality of supervision.