A Puerto Rico government agency exposed 1M Social Security numbers

Glowimages via Getty Images

A cybersecurity loophole in an official government mapping service left private data easily accessible, Centro de Periodismo Investigativo and ProPublica learned.

This article was originally published by ProPublica.

The government agency that collects property taxes in Puerto Rico inadvertently exposed the Social Security numbers of approximately 1 million people, Centro de Periodismo Investigativo and ProPublica learned.

It was the latest cybersecurity lapse for the Puerto Rico government, which in the past three years has seen technology breaches interrupt government services, take websites offline and lead to citizens’ personal information being published on the dark web.

CPI and ProPublica became aware of the vulnerability related to the Municipal Revenue Collection Center’s interactive property map, known as the Catastro Digital, and notified the agency in mid-June.

The online tool provides information, such as size, boundaries, tax assessment, sale price and owner’s name, for every registered property on the island.

While a simple search of the map wouldn’t reveal sensitive information, anyone who understands how websites request data could download unprotected personal information such as Social Security numbers without a username or password.

The news organizations were able to verify the security hole and provided the agency, known by its Spanish initials, CRIM, with a detailed description of the issue that included the specific server and folders that contained the compromised data.

Despite the notification, CRIM has repeatedly denied there were any problems with its system.

“Following a review of the Catastro Digital platform, it was determined that there was NO breach of confidential personal taxpayer information, as the Catastro Digital does NOT contain or display the type of information alluded to,” CRIM Executive Director Javier García Cintrón said.

But a few days after CPI and ProPublica contacted CRIM, the news organizations were able to see that the security holes had been patched.

García denied that, saying there was no need to fix any problem. A Puerto Rico law requires any entity, including government agencies, to promptly notify users if their personal information has been breached. But García said the agency would not reach out to users to tell them that their Social Security numbers were potentially exposed, as “no protected information was at risk.”

CRIM also did not notify the Puerto Rico Innovation & Technology Service, known as PRITS, which oversees all government information technology systems. The government’s cybersecurity protocol requires informing PRITS of “any suspected security incident.”

A PRITS spokesperson declined to answer questions and said they had to be submitted under Puerto Rico’s public information law, which is meant to allow citizens to get government records and not to answer press questions.

So far this year, more than 2 million attempted cyberattacks have been recorded within the Puerto Rico government, PRITS data shows. Half of these were deemed critical incidents, which involve “severe impact on critical operations, the compromise of sensitive data, or an imminent threat to agency security or government data,” according to the agency.

In March, citizens saw their driver’s license and registration appointments postponed after an attempted cyberattack on Transportation Department systems. Last year, Puerto Rico residents could not verify their criminal record status, which they need for employment, for almost a week because of an “unauthorized access” to the local Justice Department’s criminal records database. In 2023, Puerto Rico water utility clients and employees saw their personal information published on the dark web after a ransomware attack.

An increase in attacks prompted Puerto Rico lawmakers in 2024 to approve a comprehensive cybersecurity law, Act 40, which mandated all government agencies implement minimum cybersecurity standards and principles. It also established penalties for noncompliance and required all government agencies to conduct a risk assessment at least once annually.

But three cybersecurity experts said agencies have failed to fully implement the security standards set out under the law, even as attacks become more frequent and sophisticated. Instead of periodically assessing and tackling vulnerabilities that prevent these attacks, agencies are reactive, they said.

A Puerto Rico Inspector General Office report released late last year found deficiencies across 90 local government agencies, with 60% of them failing to conduct vulnerability assessments of their IT systems.

The government would be in “much better shape” if it focused on employee training and implemented tools like multifactor authentication on the front end, said Carlos Pérez, a cybersecurity expert in Puerto Rico who is director of security intelligence at TrustedSec, a company that consults with governments and private companies.

“We are addressing the symptom but not the disease,” he said.

In most cases, the cybersecurity law falls short of requiring unified standards across the government, said a former government IT employee, who asked not be named because he feared professional repercussions. That lack of a single set of standards has allowed agencies to decide on their own how they protect personal data.

García explained that, as part of CRIM’s security measures, the agency uses passwords, usernames and text messages to validate identity. He denied that anyone could access the Catastro Digital database without a password except to conduct individual searches through the public website.

The ability to access Social Security numbers through CRIM’s property map raises concerns given the proliferation of private companies that sell Puerto Rico real estate information, obtained from public databases such as Catastro Digital. Any of those companies could have accessed the data, including personal information.

At least three property listings companies contacted by CPI and ProPublica said they were not aware of any vulnerability and did not access the sensitive data.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.