Leak of California gun owners’ private data far wider than originally reported

The California department of justice admitted it had exposed the personal information of as many as hundreds of thousands of gun owners in the state, in a controversial data breach that appears of a far broader scale than the agency first reported.

The data breach temporarily made public the names, birthdates, gender, race, driver's license numbers, addresses and criminal histories of people who were granted or denied permits to carry concealed weapons between 2011 and 2021. The state's Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Certificate Safety and Gun Violence Restraining Order dashboards were also affected, the department said.

California's attorney general, who oversees the agency, ordered an investigation into the exposure, saying he was "deeply disturbed and angered" by the department's failure to protect sensitive information.

"This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department," Rob Bonta said.

The news surfaced on Wednesday when the Fresno county sheriff's office said that it had been informed of the data breach. It was initially reported that the exposure had affected every person with a concealed carry permit, rather than every person who was granted or denied a permit.

The breach sparked outrage among lawmakers, California law enforcement and gun rights groups. The California Rifle and Pistol Association called the release "unconscionable" and said it exposed law enforcement officials as well as vulnerable groups who had sought permits such as "rape and domestic violence victims".

The state's department of justice said that the exposure occurred after an update to its Firearms Dashboard Portal on Monday afternoon. The information was available on a publicly accessible spreadsheet for less than 24 hours until the agency shut down the website on Tuesday morning. Social security numbers and financial information were not disclosed.

The agency said it could not yet say how many individuals were affected, or whether the data was downloaded. The California State Sheriffs' Association said that it "appears" that "information was copied and at least some portion of it was posted on the internet" before the justice department detected the breach.

"It is infuriating that people who have been complying with the law have been put at risk by this breach," said the Butte county sheriff, Kory Honea, the president of the California State Sheriffs' Association, adding that sheriffs were concerned about potential risks to permit holders.

Bonta pledged to "take strong corrective measures where necessary" in response to the exposure.

"The California department of justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed," Bonta said.

The department plans to notify those affected by the breach, he said, and provide credit monitoring services.

California issued about 40,000 conceal and carry permits last year, down from more than 100,000 during the peak year of 2016, according to the state department of justice's website.