Full Report
The government agency that collects property taxes in Puerto Rico inadvertently exposed the Social Security numbers of approximately 1 million people, Centro de Periodismo Investigativo and ProPublica learned. It was the latest cybersecurity lapse for the Puerto Rico government, which in the past three years has seen technology breaches interrupt government services, take websites offline…
Analysis Summary
# Incident Report: CRIM Digital Property Map Data Exposure
## Executive Summary
The Puerto Rico Municipal Revenue Collection Center (CRIM) inadvertently exposed the Social Security numbers (SSNs) of approximately 1 million citizens through a technical vulnerability in its public-facing interactive property map. The exposure was discovered by investigative journalists rather than internal monitoring, highlighting significant gaps in the agency's data protection and application security protocols. This incident follows a pattern of recurring cybersecurity lapses within the Puerto Rico government over the past three years.
## Incident Details
- **Discovery Date:** Mid-June 2026 (Reported by journalists)
- **Incident Date:** Ongoing until mid-June 2026
- **Affected Organization:** Municipal Revenue Collection Center (CRIM - Centro de Recaudación de Ingresos Municipales)
- **Sector:** Government / Tax Collection
- **Geography:** Puerto Rico
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Exposure existed prior to June 2026)
- **Vector:** Web application vulnerability
- **Details:** A vulnerability within the "Catastro Digital" (Interactive Property Map) web portal allowed unauthorized access to sensitive database fields.
### Lateral Movement
- **Details:** Not applicable. This was an inadvertent exposure where backend database information was accessible through the front-end application interface.
### Data Exfiltration/Impact
- **Details:** Approximately 1 million Social Security numbers were accessible and potentially compromised.
### Detection & Response
- **How it was discovered:** Investigative journalists from *Centro de Periodismo Investigativo* (CPI) and *ProPublica* identified the vulnerability.
- **Response actions taken:** Journalists notified CRIM in mid-June 2026; the agency subsequently worked to address the vulnerability.
## Attack Methodology
- **Initial Access:** Misconfigured web application (Catastro Digital).
- **Persistence:** N/A (Inadvertent exposure).
- **Privilege Escalation:** N/A (Data was exposed to unauthenticated public users).
- **Defense Evasion:** N/A.
- **Credential Access:** N/A.
- **Discovery:** Inadvertent leakage of backend data via public API or web interface.
- **Lateral Movement:** N/A.
- **Collection:** Data was aggregated within the agency's property tax database.
- **Exfiltration:** Potential mass scraping by third parties (unknown if occurred prior to discovery).
- **Impact:** Exposure of Personally Identifiable Information (PII).
## Impact Assessment
- **Financial:** Pending (Potential costs include credit monitoring services for 1 million residents and regulatory fines).
- **Data Breach:** Exposure of ~1 million Social Security numbers.
- **Operational:** Temporary interruption or modification of the Catastro Digital service to patch the vulnerability.
- **Reputational:** High; reinforces public perception of systemic government cybersecurity failures in Puerto Rico.
## Indicators of Compromise
- **Network indicators:** N/A (Inadvertent exposure).
- **File indicators:** N/A.
- **Behavioral indicators:** Unusual scraping activity or high volume of queries to the Catastro Digital database/API from specific IP ranges could have served as an indicator if monitored.
## Response Actions
- **Containment measures:** Upon notification in mid-June, CRIM initiated efforts to secure the interactive map.
- **Eradication steps:** Fixing the software logic/configuration that allowed SSN fields to be queried or displayed.
- **Recovery actions:** Verification of the integrity of the property map database and assessment of whether the data had been harvested by malicious actors.
## Lessons Learned
- **Key takeaways:** Public-facing government databases must undergo rigorous security audits and "Privacy by Design" reviews to ensure sensitive fields are not mapped to public interfaces.
- **What could have been done better:** The agency lacked sufficient automated monitoring to detect that sensitive PII was being served through a public portal.
## Recommendations
- **Secure Development Lifecycle (SDLC):** Implement mandatory security testing for all government web applications before deployment.
- **Data Masking:** Ensure Social Security numbers and other PII are encrypted or masked at the database level so they cannot be retrieved by unauthorized front-end applications.
- **External Audits:** Conduct regular third-party penetration testing on all critical infrastructure and citizen-facing government portals.
- **Vulnerability Disclosure Program:** Establish a clear channel for researchers and journalists to report vulnerabilities securely.