SAN FRANCISCO, Calif. (KRON) — Following a massive data breach that exposed the personal information of 192,000 Californians who applied for gun permits, the California Department of Justice released a report looking into what went wrong.

The DOJ released results Wednesday from an independent investigation of the exposure of confidential data associated with the DOJ’s 2022 Firearms Dashboard.

From June 27-28, confidential firearms-related data was publicly exposed on OpenJustice. The names, addresses, and license types of Concealed Carry Weapons permit holders in California were exposed.

The investigation found that personal data of roughly 192,000 people who applied for CCW permits between 2012-2021 was unintentionally disclosed.

Attorney General Rob Bonta said he “remains deeply angered that this incident occurred. This unauthorized release of personal information was unacceptable. This was more than an exposure of data, it was a breach of trust that falls far short of my expectations and the expectations Californians have of our department.”

Forensic cyber experts concluded that the Firearms Dashboard data breach was unintentional.

“While the report found no ill intent, this incident was unacceptable,” Bonta said.

The DOJ said it will implement all recommendations from the independent investigation. The recommendations include:

  • Conduct a thorough review of all DOJ policies and procedures regarding the handling of confidential personal data and the supervision of personnel handling such data.
  • Provide enhanced trainings regarding the handling of confidential personal data as appropriate, taking into account the specific roles and responsibilities of DOJ personnel. 
  • Evaluate security risks for IT solutions used for projects that involve personal data and provide formal training for DOJ personnel regarding the use of these solutions.  
  • Centralize and improve DOJ’s organizational structure to enhance oversight and supervision of organization-wide risk management, data security, and related functions. To improve its oversight over risk management, data security, and related functions, DOJ will hire a chief information security officer to lead a team of specialists and have ultimate responsibility for data security across all DOJ components.
  • Develop a detailed data incident action plan for use in case of any future reports of exposure of confidential or sensitive data. 
  • Review and revise its approval process for any project involving confidential personal data to ensure that such review is sufficiently documented, systematic, and rigorous.