The U.S. Patent and Trademark Office (USPTO) kept an open, internet-accessible database of private postal addresses belonging to patent filers for more than eight months.
The U.S. government agency, responsible for handling patents and trademarks, sent a notification letter to affected individuals, explaining what had happened, and what it did following the discovery.
As reported by TechCrunch, which saw a copy of the letter, the USPTO was transitioning from an old IT system to a new one, and during the migration it “inadvertently exposed” a database containing sensitive filer data.
Unprotected databases
The addresses are a mandatory requirement in order to prevent fraud, it was said. One could not have found them simply by searching for the addresses on the website, but if one were to open a dataset the USPTO publishes to help researchers, they would have found them in bulk. Roughly 14,000 addresses were exposed this way.
The USPTO was apparently the first one to spot its own mistake, after which it “blocked access to the impacted bulk data set, removed files, implemented a patch to fix the exposure, tested our solution, and re-enabled access,” it said in the letter. The dataset was exposed between mid-August 2023, and mid-April 2024. USPTO believes no threat actors found or stole the data.
Unprotected and misconfigured databases are one of the most common causes of data spills and leaks these days. Different companies, from both private and public sectors, are often found exposing sensitive customer and citizen data this way. In one notable example, the Brazilian government recently managed to inadvertently expose sensitive data on its entire population – more than 220 million people.
This isn’t the first such incident for the USPTO, as well, as it also exposed private addresses of 61,000 people through another unprotected dataset in 2023.