The Supreme Court on Thursday struck down New York’s century-old law restricting the carrying of concealed firearms. Source – Webmaster102 (CC BY 3.0)
A data breach has occurred in the state of California, leading to information about hidden license holders become exposed. This could result in the disclosure of considerable amounts of personal information in the digital realms of criminals.
The breach occurred amid the Justice Department’s launch of its 2022 Gun Dashboard portal, highlighting a vulnerability with a new digital system.
For an overview of the incident and the cyberattack and security implications, Digital diary heard from Tyler Glotz, Director, Governance, Risk and Compliance at LogRhythm.
A major issue for Glotz concerns the type of information that was affected by the data breach and the implications for the community as a whole. Here, Glotz notes, “This breach of personally identifiable information reflects the challenging nature of information protection within state and local government agencies.”
At the heart of the problem, says Glotz, are the finances available. He says, “Limited infosec budgets increase the risk of non-public data being accidentally released or intentionally breached by bad actors. We still don’t know if this is a mistake or a hack, but the Fresno County Sheriff’s Office suggests that those affected file a police report online.
Other aspects of the attack raise concerns about cybercriminals’ operational tactics, as well as information about vulnerabilities within organizations in general.
With such concerns, Glotz warns, “This event also raises questions about insiders or hacktivists reacting to nationwide changes in concealed carry law that came from NYSRPA against Bruen days prior. The list was circulated on several social media sites immediately after being made public. Disclosure of sensitive data increases the actual physical security risk that results from a breach like this.
As with any attack, lessons can be learned and corrective actions implemented to fend off the possibility of similar incidents occurring.
Here, Glotz says, “State and local government entities should ensure they implement strong access controls, change management, and robust data classification procedures and processes to avoid inadvertently releasing personal information like this, or to prevent them from being violated.
Glotz acknowledges that companies need to do more to ward off such attacks in the future, noting, “This incident underscores the importance of application and product security testing to ensure things like this don’t happen. before anything goes into production. When deploying a new platform, it is recommended to perform a data privacy impact assessment to determine what risks exist and how they can be mitigated.