1 million
An investigation by ProPublica and the Center for Investigative Journalism has uncovered a massive data exposure at Puerto Rico's Municipal Revenue Collection Center, known as CRIM. A significant security flaw in the agency's 'Catastro Digital' online property map service left the Social Security numbers (SSNs) of approximately 1 million people unprotected and easily accessible. The journalists responsibly disclosed the vulnerability to CRIM in mid-June, providing details of the exposed server and data. However, the agency has publicly and repeatedly denied that any breach or data exposure occurred, contradicting the investigation's findings. This incident represents a critical failure in securing sensitive citizen data and a troubling refusal to acknowledge and address a verified security risk.
The vulnerability was not on the public-facing website itself but in its backend service. The 'Catastro Digital' map is a public tool for viewing property information. The investigation found that while the public website did not display SSNs, the backend API that feeds data to the map was insecure. Anyone with a basic understanding of how web browsers request data could directly query this backend service and download sensitive personal information, including SSNs, without requiring any authentication like a username or password. This is a classic example of an Insecure Direct Object Reference (IDOR) or a broken access control vulnerability (T1087 - Account Discovery is related, though this is more about lack of access control). The data was essentially public to anyone who knew where to look.
This was not a sophisticated hack but an inadvertent exposure due to poor security design. The data was left unprotected. The journalists who discovered the flaw did not maliciously exploit it but verified its existence as part of their investigation. It is unknown if any malicious actors discovered and exploited this vulnerability before the journalists reported it. CRIM's denial of the issue is particularly concerning, as it suggests the vulnerability may not have been properly remediated, potentially leaving the data still exposed.
The exposure of 1 million Social Security numbers is a catastrophic privacy failure. The SSN is a key piece of information used for identity verification in the United States. In the hands of criminals, this data can be used for widespread identity theft, to open fraudulent lines of credit, file fake tax returns, and commit other forms of financial fraud. The impact on the affected citizens of Puerto Rico could be devastating and long-lasting. CRIM's denial of the breach exacerbates the problem by preventing citizens from taking proactive steps to protect themselves, such as placing credit freezes or monitoring their accounts. It also severely undermines public trust in the government's ability to protect its citizens' most sensitive data.
For similar API vulnerabilities, hunting should focus on API and web server logs:
/api/v1/property_data/{id}record=1, record=2, record=3, etc., is a classic sign of an IDOR scanning attempt. This is a form of D3-RAPA: Resource Access Pattern Analysis.D3-UAP: User Account Permissions.Implement proper server-side authentication and authorization checks on all API endpoints to prevent unauthorized data access.
Mapped D3FEND Techniques:
Regularly audit API logs for signs of enumeration or scraping attacks, such as sequential ID scanning.
Mapped D3FEND Techniques:
Regularly scan web applications and APIs for common vulnerabilities like IDOR and broken access control.
The root cause of the CRIM data exposure was a complete failure of access control. The definitive solution is to implement and enforce proper server-side authorization. For every API request that retrieves sensitive data, the backend server must perform two checks: 1) Is the user authenticated (i.e., have they logged in)? 2) Is the authenticated user authorized to view the specific record they are requesting? In this case, the API for the 'Catastro Digital' should never have returned an SSN without first verifying the identity of the requester and confirming they have a legal right to view that specific person's SSN. This logic must exist on the server and cannot be bypassed by a direct API call. This is a fundamental principle of secure application development that was clearly missed.
As a detective control, CRIM should have been using Resource Access Pattern Analysis on its API logs. An attacker (or curious user) attempting to discover the extent of the exposed data would likely have performed an enumeration attack, requesting data for property_id=1, property_id=2, property_id=3, and so on. This sequential, rapid-fire access to a resource is a classic indicator of an IDOR vulnerability being probed or exploited. A monitoring system that analyzes API access patterns could easily detect this behavior and trigger an alert for the security team to investigate. This would allow the agency to discover the vulnerability itself, even without an external party reporting it, and to identify any actors who may have been scraping the data.
Journalists from ProPublica and CPI disclose the vulnerability to CRIM (approximate date).
ProPublica and CPI publish their investigation after CRIM denies the breach.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph β relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.