The federal agency responsible for granting patents and trademarks is alerting thousands of applicants whose home addresses were exposed after a second data breach in as many years.
The U.S. Patent and Trademark Office (USPTO) said in an email to affected trademark applicants this week that their private home address – which may include home address – will be public between August 23, 2023 and April 19, 2024 records emerged.
U.S. trademark law requires applicants to provide a home address when submitting their paperwork to the agency to prevent fraudulent trademark applications.
The USPTO said that while no addresses appeared in regular searches on the agency’s website, the home addresses of about 14,000 applicants were included in bulk data sets that the USPTO publishes online to support academic and commercial research.
The agency blamed itself for the incident and said the addresses were “inadvertently exposed as we transitioned to a new IT system,” according to the email to affected applicants obtained by TechCrunch. “Importantly, this incident was not the result of malicious activity,” the email said.
When the vulnerability was discovered, the agency said it “blocked access to the affected bulk data set, removed files, implemented a patch to address the compromise, tested our solution, and re-enabled access.”
If this sounds surprisingly familiar, the USPTO had a similar disclosure of applicants’ address information last June. At the time, the USPTO said it had inadvertently exposed the home addresses of about 61,000 applicants in a years-long data breach, including through the release of its bulk records, and told those affected that the problem had been resolved.
When reached for comment on Wednesday, USPTO Deputy Chief Information Officer Deborah Stephens told TechCrunch that the new revelation was discovered as part of the agency’s efforts to modernize its IT infrastructure.
“The fix we had in place was fully in place and remains in place,” Stephens said. “As we modernize and adopt the legacy systems from the various decades of standards and protocols, the system failure occurred in the creation and modernization of this mass data set.”
Stephens said the USPTO has implemented new controls in compiling and releasing its bulk data sets that include “file creation error correction” designed to prevent future losses of personal information.
“We are looking at our legacy to modern process to identify opportunities to improve our IT development, processing and delivery by taking a more holistic approach to our data and particularly to external or publicly accessible systems. said Stephens.
The USPTO told affected individuals that the agency had “no reason to believe” that disclosed addresses had been misused.