The government agency that collects property taxes in Puerto Rico inadvertently exposed the Social Security numbers of approximately 1 million people, Centro de Periodismo Investigativo and ProPublica learned.
It was the latest cybersecurity lapse for the Puerto Rico government, which in the past three years has seen technology breaches interrupt government services, take websites offline and lead to citizens’ personal information being published on the dark web.
CPI and ProPublica became aware of the vulnerability related to the Municipal Revenue Collection Center’s interactive property map, known as the Catastro Digital, and notified the agency in mid-June.
The online tool provides information, such as size, boundaries, tax assessment, sale price and owner’s name, for every registered property on the island.
While a simple search of the map wouldn’t reveal sensitive information, anyone who understands how websites request data could download unprotected personal information such as Social Security numbers without a username or password.
The news organizations were able to verify the security hole and provided the agency, known by its Spanish initials, CRIM, with a detailed description of the issue that included the specific server and folders that contained the compromised data.
Despite the notification, CRIM has repeatedly denied there were any problems with its system.
“Following a review of the Catastro Digital platform, it was determined that there was NO breach of confidential personal taxpayer information, as the Catastro Digital does NOT contain or display the type of information alluded to,” CRIM Executive Director Javier García Cintrón said.
But a few days after CPI and ProPublica contacted CRIM, the news organizations were able to see that the security holes had been patched.
García denied that, saying there was no need to fix any problem. A Puerto Rico law requires any entity, including government agencies, to promptly notify users if their personal information has been breached. But García said the agency would not reach out to users to tell them that their Social Security numbers were potentially exposed, as “no protected information was at risk.”
CRIM also did not notify the Puerto Rico Innovation & Technology Service, known as PRITS, which oversees all government information technology systems. The government’s cybersecurity protocol requires informing PRITS of “any suspected security incident.”
A PRITS spokesperson declined to answer questions and said they had to be submitted under Puerto Rico’s public information law, which is meant to allow citizens to get government records and not to answer press questions.
So far this year, more than 2 million attempted cyberattacks have been recorded within the Puerto Rico government, PRITS data shows. Half of these were deemed critical incidents, which involve “severe impact on critical operations, the compromise of sensitive data, or an imminent threat to agency security or government data,” according to the agency.
In March, citizens saw their driver’s license and registration appointments postponed after an attempted cyberattack on Transportation Department systems. Last year, Puerto Rico residents could not verify their criminal record status, which they need for employment, for almost a week because of an “unauthorized access” to the local Justice Department’s criminal records database. In 2023, Puerto Rico water utility clients and employees saw their personal information published on the dark web after a ransomware attack.
An increase in attacks prompted Puerto Rico lawmakers in 2024 to approve a comprehensive cybersecurity law, Act 40, which mandated all government agencies implement minimum cybersecurity standards and principles. It also established penalties for noncompliance and required all government agencies to conduct a risk assessment at least once annually.
But three cybersecurity experts said agencies have failed to fully implement the security standards set out under the law, even as attacks become more frequent and sophisticated. Instead of periodically assessing and tackling vulnerabilities that prevent these attacks, agencies are reactive, they said.
A Puerto Rico Inspector General Office report released late last year found deficiencies across 90 local government agencies, with 60% of them failing to conduct vulnerability assessments of their IT systems.
The government would be in “much better shape” if it focused on employee training and implemented tools like multifactor authentication on the front end, said Carlos Pérez, a cybersecurity expert in Puerto Rico who is director of security intelligence at TrustedSec, a company that consults with governments and private companies.
“We are addressing the symptom but not the disease,” he said.
In most cases, the cybersecurity law falls short of requiring unified standards across the government, said a former government IT employee, who asked not be named because he feared professional repercussions. That lack of a single set of standards has allowed agencies to decide on their own how they protect personal data.
García explained that, as part of CRIM’s security measures, the agency uses passwords, usernames and text messages to validate identity. He denied that anyone could access the Catastro Digital database without a password except to conduct individual searches through the public website.
The ability to access Social Security numbers through CRIM’s property map raises concerns given the proliferation of private companies that sell Puerto Rico real estate information, obtained from public databases such as Catastro Digital. Any of those companies could have accessed the data, including personal information.
At least three property listings companies contacted by CPI and ProPublica said they were not aware of any vulnerability and did not access the sensitive data.
This story originally appeared on ProPublica
