The federal government company that collects property taxes in Puerto Rico inadvertently uncovered the Social Safety numbers of roughly 1 million individuals, Centro de Periodismo Investigativo and ProPublica realized.
It was the newest cybersecurity lapse for the Puerto Rico authorities, which previously three years has seen know-how breaches interrupt authorities providers, take web sites offline and result in residents’ private info being revealed on the darkish internet.
CPI and ProPublica grew to become conscious of the vulnerability associated to the Municipal Income Assortment Heart’s interactive property map, often known as the Catastro Digital, and notified the company in mid-June.
The web instrument supplies info, akin to measurement, boundaries, tax evaluation, sale value and proprietor’s identify, for each registered property on the island.
Whereas a easy search of the map wouldn’t reveal delicate info, anybody who understands how web sites request knowledge might obtain unprotected private info akin to Social Safety numbers with no username or password.
The information organizations had been in a position to confirm the safety gap and offered the company, recognized by its Spanish initials, CRIM, with an in depth description of the problem that included the precise server and folders that contained the compromised knowledge.
Regardless of the notification, CRIM has repeatedly denied there have been any issues with its system.
“Following a evaluation of the Catastro Digital platform, it was decided that there was NO breach of confidential private taxpayer info, because the Catastro Digital does NOT comprise or show the kind of info alluded to,” CRIM Government Director Javier García Cintrón mentioned.
However a couple of days after CPI and ProPublica contacted CRIM, the information organizations had been in a position to see that the safety holes had been patched.
García denied that, saying there was no want to repair any drawback. A Puerto Rico legislation requires any entity, together with authorities companies, to promptly notify customers if their private info has been breached. However García mentioned the company wouldn’t attain out to customers to inform them that their Social Safety numbers had been doubtlessly uncovered, as “no protected info was in danger.”
CRIM additionally didn’t notify the Puerto Rico Innovation & Know-how Service, often known as PRITS, which oversees all authorities info know-how techniques. The federal government’s cybersecurity protocol requires informing PRITS of “any suspected safety incident.”
A PRITS spokesperson declined to reply questions and mentioned they needed to be submitted underneath Puerto Rico’s public info legislation, which is supposed to permit residents to get authorities information and to not reply press questions.
Thus far this 12 months, greater than 2 million tried cyberattacks have been recorded inside the Puerto Rico authorities, PRITS knowledge exhibits. Half of those had been deemed important incidents, which contain “extreme impression on important operations, the compromise of delicate knowledge, or an imminent menace to company safety or authorities knowledge,” in keeping with the company.
In March, residents noticed their driver’s license and registration appointments postponed after an tried cyberattack on Transportation Division techniques. Final 12 months, Puerto Rico residents couldn’t confirm their legal document standing, which they want for employment, for nearly every week due to an “unauthorized entry” to the native Justice Division’s legal information database. In 2023, Puerto Rico water utility shoppers and workers noticed their private info revealed on the darkish internet after a ransomware assault.
A rise in assaults prompted Puerto Rico lawmakers in 2024 to approve a complete cybersecurity legislation, Act 40, which mandated all authorities companies implement minimal cybersecurity requirements and ideas. It additionally established penalties for noncompliance and required all authorities companies to conduct a danger evaluation a minimum of as soon as yearly.
However three cybersecurity consultants mentioned companies have failed to completely implement the safety requirements set out underneath the legislation, at the same time as assaults turn out to be extra frequent and complex. As a substitute of periodically assessing and tackling vulnerabilities that forestall these assaults, companies are reactive, they mentioned.
A Puerto Rico Inspector Basic Workplace report launched late final 12 months discovered deficiencies throughout 90 native authorities companies, with 60% of them failing to conduct vulnerability assessments of their IT techniques.
The federal government could be in “significantly better form” if it targeted on worker coaching and carried out instruments like multifactor authentication on the entrance finish, mentioned Carlos Pérez, a cybersecurity skilled in Puerto Rico who’s director of safety intelligence at TrustedSec, an organization that consults with governments and personal corporations.
“We’re addressing the symptom however not the illness,” he mentioned.
Generally, the cybersecurity legislation falls in need of requiring unified requirements throughout the federal government, mentioned a former authorities IT worker, who requested not be named as a result of he feared skilled repercussions. That lack of a single set of requirements has allowed companies to determine on their very own how they defend private knowledge.
García defined that, as a part of CRIM’s safety measures, the company makes use of passwords, usernames and textual content messages to validate id. He denied that anybody might entry the Catastro Digital database with no password besides to conduct particular person searches by the general public web site.
The power to entry Social Safety numbers by CRIM’s property map raises issues given the proliferation of personal corporations that promote Puerto Rico actual property info, obtained from public databases akin to Catastro Digital. Any of these corporations might have accessed the information, together with private info.
A minimum of three property listings corporations contacted by CPI and ProPublica mentioned they weren’t conscious of any vulnerability and didn’t entry the delicate knowledge.

