The government agency that collects property taxes in Puerto Rico inadvertently revealed the Social Security numbers of about 1 million people, Centro de Periodismo Investigativo and ProPublica have learned.
It’s the latest cybersecurity breach for Puerto Rico’s government, which over the past three years has seen technological breaches disrupt government services, knock websites offline and lead to the publication of citizens’ personal information on the dark web.
CPI and ProPublica became aware of the vulnerability in the Municipal Revenue Center’s interactive property map, known as Catastro Digital, and notified the agency in mid-June.
The online tool provides information such as size, boundaries, tax assessment, sale price and owner name, for each registered property on the island.
Although a simple search of the map would not reveal sensitive information, anyone who understands how websites request data could download unprotected personal information such as Social Security numbers without a username or password.
News organizations were able to verify the security breach and provided the agency, known by its Spanish initials, CRIM, with a detailed description of the problem that included the specific server and folders containing the compromised data.
Despite this notification, CRIM has repeatedly denied any problem with its system.
“After a review of the Catastro Digital platform, it was determined that there was NO violation of taxpayers’ confidential personal information, as Catastro Digital does not contain or display the type of information it alludes to,” said CRIM Executive Director Javier García Cintrón.
But a few days after CPI and ProPublica contacted CRIM, the news agencies were able to see that the security flaws had been closed.
García denied this, saying there was no need to resolve the issue. A Puerto Rico law requires any entity, including government agencies, to promptly notify users if their personal information has been breached. But García said the agency would not contact users to tell them their Social Security numbers were potentially exposed because “no protected information was at risk.”
CRIM also failed to notify the Puerto Rico Innovation and Technology Service, known as PRITS, which oversees all government IT systems. Government cybersecurity protocol requires informing PRITS of “any suspected security incidents.”
A PRITS spokesperson declined to answer questions and said they must be submitted under Puerto Rico’s public information law, which is intended to allow citizens to obtain government documents and not to answer questions from the press.
So far this year, more than 2 million attempted cyberattacks have been recorded within the Puerto Rico government, according to PRITS data. Half of them were considered critical incidents, involving “severe impact to critical operations, compromise of sensitive data, or imminent threat to agency security or government data,” according to the agency.
In March, citizens had their driver’s licenses and registration appointments postponed after an attempted cyberattack on Department of Transportation systems. Last year, Puerto Rico residents were unable to check their criminal records, which they need for work, for nearly a week due to “unauthorized access” to the local Department of Justice’s criminal records database. In 2023, Puerto Rico water utility customers and employees had their personal information posted on the dark web after a ransomware attack.
An increase in attacks has prompted Puerto Rico lawmakers to approve a comprehensive cybersecurity law, Act 40, in 2024, which requires all government agencies to implement minimum cybersecurity standards and principles. It also established penalties for non-compliance and required all government agencies to conduct a risk assessment at least annually.
But three cybersecurity experts said agencies have failed to fully implement the security standards laid out in the law, even as attacks become more frequent and more sophisticated. Instead of periodically assessing and addressing vulnerabilities that prevent these attacks, agencies are reacting, they said.
A report from Puerto Rico’s Office of Inspector General released late last year found deficiencies in 90 local government agencies, with 60 percent failing to conduct vulnerability assessments of their IT systems.
The government would be in “much better shape” if it focused on employee training and implemented tools like multifactor authentication early on, said Carlos Pérez, a cybersecurity expert in Puerto Rico and director of security intelligence at TrustedSec, a company that consults with governments and private companies.
“We address the symptoms but not the disease,” he said.
In most cases, cybersecurity law is not enough to require unified standards across government, said a former government IT employee, who asked to remain anonymous for fear of professional repercussions. This lack of a single set of standards has allowed agencies to decide for themselves how they protect personal data.
García explained that as part of CRIM’s security measures, the agency uses passwords, usernames and text messages to validate identity. He denied that anyone could access the Catastro Digital database without a password except to perform individual searches on the public website.
The ability to access Social Security numbers through CRIM’s real estate card raises concerns given the proliferation of private companies that sell real estate information in Puerto Rico, obtained from public databases such as Catastro Digital. Any of these companies could have accessed the data, including personal information.
At least three real estate listings companies contacted by CPI and ProPublica said they were unaware of any vulnerabilities and did not have access to sensitive data.
