A data breach has taken place within the state of California, leading to information about concealed permit holders becoming exposed. This could lead to considerable amounts of personal information being released into the digital realms of criminals.
The breach occurred as part of the Justice Department’s launch of its 2022 Firearms Dashboard Portal, highlighting a vulnerability with a new digital system.
To gain an insight into the incident and the cyberattack and security implications, Digital Journal heard from Tyler Glotz, Manager, Governance Risk & Compliance at LogRhythm.
A stand-out issue for Glotz relates to the type of information that was affected by the data breach and the implications for the community at large. Here Glotz finds: “This breach of personal identifiable information reflects the challenging nature of protecting information within state and local government agencies.”
At the heart of the issue, says Glotz, is available finances. He states: “Limited infosec budgets raise the risk of non-public data accidentally being released or intentionally breached by bad actors. We still don’t have word if this was a mistake or a hack, but the Fresno County Sheriff’s office is suggesting persons affected should file an online police report.”
Other aspects of the attack raise concerns about the operational tactic of cybercriminals, as well as informing about vulnerabilities within organisations overall.
With such concerns, Glotz cautions: “This event also raises questions of inside actors or hacktivists reacting to national changes in concealed carry law that came from NYSRPA v Bruen just days before. The list was circulated on several social media sites immediately after being made public. Release of sensitive data furthers the risk to real physical safety that results from a breach like this.”
As with any attack, there are lessons that can be learned and corrective actions implemented to push back the possibility of similar incidences occurring.
Here Glotz says: “State and local government entities should make sure to implement strong access controls, change management, and robust data classification procedures and processes to avoid accidentally disseminating personal information like this, or prevent them from being breached.”
Glotz acknowledges that firms need to do more to repel such attacks in the future, finding: “This incident stresses the importance of application and product security testing to ensure things like this don’t happen before something is pushed into production. When rolling out a new platform, it is best practice to perform a Data Privacy Impact Assessment to determine what privacy risks exist and how they can be mitigated.”
