[E-trademarks] IG Report - A 3-Year Exposure of Privacy Act-Protected Data Revealed USPTO Mismanagement in Safeguarding the Sensitive PII of Trademark Filers
Tim Ackermann
tim at ackermannlaw.com
Fri Jul 5 12:01:16 EDT 2024
Oh, you missed your deadline by over two months? No problem!
> The Department’s breach notification plan states that bureaus and
> operating units must notify individuals whose data was exposed within 30
> days or as expeditiously as practicable and without unreasonable delay.
> However, USPTO did not notify affected trademark filers for more than 3
> months (105 days) after discovery of the PII exposure on February 24, 2023.
Who could possibly know about editing the URL to access information? Oh...
everybody? Well, it is against the ToS! I'm sure it's fine!
> USPTO leadership repeatedly stated that access to domicile addresses
> through URL manipulation would violate the system’s user agreement.
> However, the user agreement did not absolve USPTO of its responsibility to
> protect domicile addresses from unauthorized access through URL
> manipulation, a basic and well-known technique used by bad actors
Oh, and we also disclosed other stuff like attorney information, lol! Yes,
we promised to keep that masked... Sorry, did we not tell you about that?
> In addition to domicile addresses, other data including attorney
> information, email addresses, and Internet Protocol (IP) addresses were
> also exposed during this 3-year period. USPTO’s Trademarks Organization did
> not calculate the number of filers affected by the exposure of this
> additional data nor did the office consider this number when addressing the
> incident.
Oh, and we did it again! Lmao, we're so much fun!
> On April 19, 2024, after the conclusion of our evaluation, USPTO
> discovered that 14,359 domicile addresses that should have been hidden from
> public view were inadvertently exposed during the transition to a new IT
> system. Also exposed during this incident was the bar information of 16,548
> attorneys and the email addresses of 33,501 trademark owners. USPTO
> concluded that this data was exposed between August 23, 2023, and April 19,
> 2024.
Tim Ackermann
The Ackermann Law Firm
E: tim at ackermannlaw.com
P: 817.305.0690
F: 214.453.0810
W: ackermannlaw.com
O: 1701 W. Northwest Hwy. Ste. 100
Grapevine TX 76051
On Fri, Jun 28, 2024 at 10:43 AM Pamela Chestek via E-trademarks <
e-trademarks at oppedahl-lists.com> wrote:
> I just learned of this report:
>
> "We found that USPTO mishandled the required reporting and notification
> to the affected trademark filers after domicile addresses had been
> exposed for 3 years. We also found that USPTO leadership allowed
> domicile addresses to remain publicly accessible after they were aware
> of the exposure, risking unauthorized disclosures in violation of the
> Privacy Act. Additionally, USPTO did not report that additional
> sensitive PII was exposed during the incident or notify the affected
> filers that additional data had been exposed."
>
>
> https://www.oversight.gov/report/DOC/3-Year-Exposure-Privacy-Act-Protected-Data-Revealed-USPTO-Mismanagement-Safeguarding
>
> Pam
>
> Pamela S. Chestek
> Chestek Legal
> 300 Fayetteville Street
> Unit 2492
> Raleigh, NC 27602
> pamela at chesteklegal.com
> (919) 800-8033
> www.chesteklegal.com
>
> --
> E-trademarks mailing list
> E-trademarks at oppedahl-lists.com
> http://oppedahl-lists.com/mailman/listinfo/e-trademarks_oppedahl-lists.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240705/e2bf27e3/attachment.htm>
More information about the E-trademarks
mailing list