The government agency that collects property taxes in Puerto Rico mistakenly released the Social Security numbers of about 1 million people, Centro de Periodismo Investigativo and ProPublica have learned.
This is the latest cybersecurity blunder for Puerto Rico’s government, which over the past three years has seen technology breaches disrupt government services, take websites offline and expose citizens’ personal information to the dark web.
CPI and ProPublica became aware of a vulnerability related to the City Revenue Collection Center’s interactive real estate map, known as Catastro Digital, and notified authorities in mid-June.
This online tool provides information on all registered properties on the island, including size, boundaries, tax assessments, sales prices, and owner names.
A simple search of a map won’t reveal sensitive information, but someone who understands how websites request data may be able to download unsecured personal information, such as social security numbers, without a username or password.
The news organization was able to verify the security hole and provided the organization, known by its Spanish acronym CRIM, with a detailed description of the issue, including the specific servers and folders containing the compromised data.
Despite the notification, CRIM has repeatedly denied there was a problem with its systems.
“After reviewing the Catastro Digital platform, it was determined that there was no disclosure of sensitive taxpayer information, as Catastro Digital does not contain or display the type of information implied,” CRIM Executive Director Javier García Cintron said in a statement.
However, several days after CPI and ProPublica contacted CRIM, the news organization was able to learn that the security hole had been fixed.
Garcia denied this and said there was no need to resolve the issue. Puerto Rico law requires all organizations, including government agencies, to promptly notify users if their personal information has been compromised. But Garcia said the agency will not tell users that their Social Security numbers may be compromised because “no protected information is at risk.”
CRIM also failed to notify the Puerto Rico Innovation and Technology Service, known as PRITS, which oversees all government information technology systems. Government cybersecurity protocols require PRITS to be notified of “suspected security incidents.”
A PRITS spokesperson declined to answer questions, saying the filing was required under Puerto Rico’s public information law. The law gives citizens access to government records and is intended to prevent them from answering questions from reporters.
According to PRITS data, more than 2 million attempted cyberattacks have been recorded within Puerto Rico’s government so far this year. The agency said half of the incidents were considered serious incidents with “severe impact on critical operations, compromise of sensitive data, or imminent threat to agency security or government data.”
In March, citizens saw their driver’s license and registration appointments postponed following an attempted cyberattack on the Department of Transport’s systems. Last year, Puerto Rican residents were unable to verify their criminal records for nearly a week due to “unauthorized access” to the local Department of Justice’s criminal records database. In 2023, customers and employees of a water utility in Puerto Rico saw their personal information exposed on the dark web following a ransomware attack.
In response to the increase in attacks, Puerto Rico’s lawmakers approved Comprehensive Cybersecurity Act No. 40 of 2024, which requires all government agencies to implement minimum cybersecurity standards and principles. It also established penalties for violations and required all government agencies to conduct risk assessments at least once a year.
But three cybersecurity experts said that even as attacks become more frequent and sophisticated, government agencies have failed to fully implement the security standards set by the law. Instead of regularly assessing and addressing vulnerabilities that would prevent these attacks, government agencies are reacting reactively.
A Puerto Rico Inspector General’s Office report released late last year found that 90 municipalities were deficient, with 60% failing to conduct vulnerability assessments of their IT systems.
Carlos Perez, a Puerto Rican cybersecurity expert and director of security intelligence at TrustedSec, a company that consults with governments and private companies, said the government would be in a “much better place” if it focused on training its employees and introduced tools like multi-factor authentication on the front end.
“We’re dealing with the symptoms, but not the disease,” he says.
In most cases, cybersecurity laws fall short of requiring uniform standards across the government, said a former government IT official, who requested anonymity for fear of professional repercussions. The lack of a single standard has allowed government agencies to independently decide how to protect personal data.
Garcia explained that as part of CRIM’s security measures, CRIM uses passwords, usernames and text messages to verify your identity. He denied that anyone can access the Catastro Digital database without a password, except to conduct individual searches through the public website.
Access to Social Security numbers through CRIM’s real estate maps raises concerns given the proliferation of private companies selling Puerto Rico real estate information obtained from public databases such as Catastro Digital. Any of these companies may have had access to data containing personal information.
At least three real estate listing companies contacted by CPI and ProPublica said they were not aware of the vulnerability and did not have access to sensitive data.
