The federal government agency responsible for granting patents and trademarks is alerting thousands of records whose private addresses were exposed after a second data leak in as many years.
The US Patent and Trademark Office (USPTO) said in an email to affected trademark applicants this week that their private residential address — which may include their home address — appeared in public records between 23 August 2023 and April 19, 2024.
US trademark law requires applicants to include a private address when submitting their documents to the service to prevent fraudulent trademark filings.
The USPTO said that while no addresses appeared in regular searches on the agency’s website, about 14,000 applicants’ private addresses were included in massive data sets that The USPTO publishes online to enhance academic and economic research.
The agency claimed responsibility for the incident, saying the addresses were “inadvertently exposed as we were transitioning to a new IT system,” according to an email to affected applicants obtained by TechCrunch. “Importantly, this incident was not the result of malicious activity,” the email said.
After discovering the security hole, the agency said it “disabled access to the affected dataset, removed files, applied a patch to fix the exposure, tested our solution and re-enabled access.”
If this sounds eerily familiar, the USPTO had a similar exposure of applicants’ address data last June. At the time, the USPTO said it had inadvertently exposed about 61,000 private applicant addresses in a years-long data breach, in part through the release of its bulk data sets, and told affected individuals that the problem had been resolved.
When reached for comment Wednesday, USPTO Deputy Chief Information Officer Deborah Stephens told TechCrunch that the new report was discovered as part of the agency’s efforts to modernize its IT infrastructure.
“The fix we had in place was all in place and it stays in place,” Stephens said. “As we modernize and take legacy systems from the different decades of standards and protocols, the system error occurred in the creation and modernization of this massive data set.”
Stephens said the USPTO has put in place new controls on the collection and publication of its massive data sets that include “error correction during file creation,” which will prevent future leaks of personal information.
“We’re looking at our legacy process to modernize so we can identify ways we can improve IT development, processing and delivery by taking a more holistic approach to our data, specifically our external facing systems or publicly,” Stephens said.
The USPTO told affected individuals that the agency “has no reason to believe” that the exposed addresses have been misused.
