A Puerto Rico Government Agency Exposed 1 Million Social Security Numbers — ProPublica
Arrow Right
Caret
Close
Search ProPublica Search Close<br>ProPublica is a nonprofit, investigative newsroom that exposes<br>corruption. We report in all 50 states and partner with local newsrooms. Our work spurs real-world impact and has received numerous awards, including nine Pulitzer Prizes.
Topics We Cover<br>See All<br>Abortion<br>Civil Rights<br>Courts<br>Criminal Justice<br>Debt<br>Democracy<br>Education<br>Environment<br>Health Care<br>Health Insurance<br>Immigration<br>Labor<br>Mental Health<br>Military<br>Police<br>Politics<br>Pregnancy<br>Prison<br>Racial Justice<br>Regulation<br>Sex and Gender<br>Technology
Our Biggest Series<br>See All<br>Life of the Mother<br>How Abortion Bans Lead to Preventable Deaths
The New Immigration<br>How Recent Arrivals at the Border Have Changed the Country and Its Attitudes
Friends of the Court<br>SCOTUS Justices’ Beneficial Relationships With Billionaire Donors
This article was produced for ProPublica’s Local Reporting Network in partnership with Centro de Periodismo Investigativo. Sign up for Dispatches to get our stories in your inbox every week.
The government agency that collects property taxes in Puerto Rico inadvertently exposed the Social Security numbers of approximately 1 million people, Centro de Periodismo Investigativo and ProPublica learned.
It was the latest cybersecurity lapse for the Puerto Rico government, which in the past three years has seen technology breaches interrupt government services, take websites offline and lead to citizens’ personal information being published on the dark web.
CPI and ProPublica became aware of the vulnerability related to the Municipal Revenue Collection Center’s interactive property map, known as the Catastro Digital, and notified the agency in mid-June.
The online tool provides information, such as size, boundaries, tax assessment, sale price and owner’s name, for every registered property on the island.
While a simple search of the map wouldn’t reveal sensitive information, anyone who understands how websites request data could download unprotected personal information such as Social Security numbers without a username or password.
The news organizations were able to verify the security hole and provided the agency, known by its Spanish initials, CRIM, with a detailed description of the issue that included the specific server and folders that contained the compromised data.
Despite the notification, CRIM has repeatedly denied there were any problems with its system.
“Following a review of the Catastro Digital platform, it was determined that there was NO breach of confidential personal taxpayer information, as the Catastro Digital does NOT contain or display the type of information alluded to,” CRIM Executive Director Javier García Cintrón said.
But a few days after CPI and ProPublica contacted CRIM, the news organizations were able to see that the security holes had been patched.
García denied that, saying there was no need to fix any problem. A Puerto Rico law requires any entity, including government agencies, to promptly notify users if their personal information has been breached. But García said the agency would not reach out to users to tell them that their Social Security numbers were potentially exposed, as “no protected information was at risk.”
CRIM also did not notify the Puerto Rico Innovation & Technology Service, known as PRITS, which oversees all government information technology systems. The government’s cybersecurity protocol requires informing PRITS of “any suspected security incident.”
A PRITS spokesperson declined to answer questions and said they had to be submitted under Puerto Rico’s public information law, which is meant to allow citizens to get government records and not to answer press questions.
So far this year, more than 2 million attempted cyberattacks have been recorded within the Puerto Rico government, PRITS data shows. Half of these were deemed critical incidents, which involve “severe impact on critical operations, the compromise of sensitive data, or an imminent threat to agency security or government data,” according to the agency.
In March, citizens saw their driver’s license and registration appointments postponed after an attempted cyberattack on Transportation Department systems. Last year, Puerto Rico residents could not verify their criminal record status, which they need for employment, for almost a week because of an “unauthorized access” to the local Justice Department’s criminal records database. In 2023, Puerto Rico water utility clients and employees saw their personal information published on the dark web after a ransomware attack.
An increase in attacks prompted Puerto Rico lawmakers in 2024 to approve a comprehensive cybersecurity law, Act 40, which mandated all government agencies implement minimum cybersecurity standards and principles. It also established penalties for noncompliance and required all government agencies to conduct a risk...