Investigation Reveals Puerto Rico's Tax Agency (CRIM) Inadvertently Exposed 1 Million Social Security Numbers, Agency Denies Breach

Puerto Rico Agency Denies Data Leak After Exposing 1 Million Social Security Numbers

CRITICAL
July 9, 2026
5m read
Data BreachRegulatoryVulnerability

Impact Scope

People Affected

1 million

Industries Affected

Government

Geographic Impact

Puerto Rico (national)

Related Entities

Organizations

Municipal Revenue Collection Center (CRIM)

Other

ProPublica Centro de Periodismo Investigativo (CPI)

Full Report

Executive Summary

An investigation by ProPublica and the Center for Investigative Journalism has uncovered a massive data exposure at Puerto Rico's Municipal Revenue Collection Center, known as CRIM. A significant security flaw in the agency's 'Catastro Digital' online property map service left the Social Security numbers (SSNs) of approximately 1 million people unprotected and easily accessible. The journalists responsibly disclosed the vulnerability to CRIM in mid-June, providing details of the exposed server and data. However, the agency has publicly and repeatedly denied that any breach or data exposure occurred, contradicting the investigation's findings. This incident represents a critical failure in securing sensitive citizen data and a troubling refusal to acknowledge and address a verified security risk.

Vulnerability Details

The vulnerability was not on the public-facing website itself but in its backend service. The 'Catastro Digital' map is a public tool for viewing property information. The investigation found that while the public website did not display SSNs, the backend API that feeds data to the map was insecure. Anyone with a basic understanding of how web browsers request data could directly query this backend service and download sensitive personal information, including SSNs, without requiring any authentication like a username or password. This is a classic example of an Insecure Direct Object Reference (IDOR) or a broken access control vulnerability (T1087 - Account Discovery is related, though this is more about lack of access control). The data was essentially public to anyone who knew where to look.

Affected Systems

  • Affected Service: The backend data service for the 'Catastro Digital' interactive property map.
  • Affected Organization: Municipal Revenue Collection Center (CRIM) of Puerto Rico.
  • Exposed Data: Approximately 1 million Social Security numbers and other personal information linked to property records.

Exploitation Status

This was not a sophisticated hack but an inadvertent exposure due to poor security design. The data was left unprotected. The journalists who discovered the flaw did not maliciously exploit it but verified its existence as part of their investigation. It is unknown if any malicious actors discovered and exploited this vulnerability before the journalists reported it. CRIM's denial of the issue is particularly concerning, as it suggests the vulnerability may not have been properly remediated, potentially leaving the data still exposed.

Impact Assessment

The exposure of 1 million Social Security numbers is a catastrophic privacy failure. The SSN is a key piece of information used for identity verification in the United States. In the hands of criminals, this data can be used for widespread identity theft, to open fraudulent lines of credit, file fake tax returns, and commit other forms of financial fraud. The impact on the affected citizens of Puerto Rico could be devastating and long-lasting. CRIM's denial of the breach exacerbates the problem by preventing citizens from taking proactive steps to protect themselves, such as placing credit freezes or monitoring their accounts. It also severely undermines public trust in the government's ability to protect its citizens' most sensitive data.

Cyber Observables β€” Hunting Hints

For similar API vulnerabilities, hunting should focus on API and web server logs:

Type
API Endpoint
Value
/api/v1/property_data/{id}
Description
Monitor for sequential scanning of numeric IDs in API endpoints, which can indicate an IDOR enumeration attempt.
Type
Log Source
Value
API Gateway / Web Server Logs
Description
Look for a single IP address making an unusually large number of requests to a data-retrieval API endpoint over a short period.
Type
Network Traffic Pattern
Value
Anomalous data egress
Description
A large, unexpected download of data from a backend server could indicate that an exposed dataset is being exfiltrated.

Detection Methods

  • API Security Scanning: Regularly use dynamic application security testing (DAST) and API security scanning tools to test for access control vulnerabilities like IDOR. These tools can automatically check if an unauthenticated user can access resources that should be protected.
  • Log Analysis: Analyze API gateway and web server logs for signs of enumeration. A user or IP address requesting record=1, record=2, record=3, etc., is a classic sign of an IDOR scanning attempt. This is a form of D3-RAPA: Resource Access Pattern Analysis.
  • Code Review: Implement secure coding practices and perform regular manual and automated code reviews to identify and fix access control flaws before they reach production. Developers should never trust client-side input for authorization checks.

Remediation Steps

  • Implement Proper Access Control: The fundamental fix is to implement proper, server-side authentication and authorization checks for all API endpoints that handle sensitive data. Before returning any data, the server must verify that the user is authenticated and has the right to access the specific record they are requesting. This is a core part of D3-UAP: User Account Permissions.
  • Acknowledge and Remediate: The first step for CRIM should be to acknowledge the vulnerability, take the affected service offline immediately, and conduct a thorough investigation to remediate the flaw. Denying the problem is not a security strategy.
  • Notify Victims: Once the breach is confirmed, the agency has an ethical and often legal obligation to notify the 1 million affected individuals so they can take steps to protect their identities.
  • Principle of Data Minimization: Government agencies should review what data they are collecting and making accessible via online services. SSNs should almost never be stored in a system that is connected to a public-facing web application.

Timeline of Events

1
June 15, 2026
Journalists from ProPublica and CPI disclose the vulnerability to CRIM (approximate date).
2
July 9, 2026
ProPublica and CPI publish their investigation after CRIM denies the breach.
3
July 9, 2026
This article was published

MITRE ATT&CK Mitigations

Implement proper server-side authentication and authorization checks on all API endpoints to prevent unauthorized data access.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Regularly audit API logs for signs of enumeration or scraping attacks, such as sequential ID scanning.

Mapped D3FEND Techniques:

Regularly scan web applications and APIs for common vulnerabilities like IDOR and broken access control.

D3FEND Defensive Countermeasures

The root cause of the CRIM data exposure was a complete failure of access control. The definitive solution is to implement and enforce proper server-side authorization. For every API request that retrieves sensitive data, the backend server must perform two checks: 1) Is the user authenticated (i.e., have they logged in)? 2) Is the authenticated user authorized to view the specific record they are requesting? In this case, the API for the 'Catastro Digital' should never have returned an SSN without first verifying the identity of the requester and confirming they have a legal right to view that specific person's SSN. This logic must exist on the server and cannot be bypassed by a direct API call. This is a fundamental principle of secure application development that was clearly missed.

As a detective control, CRIM should have been using Resource Access Pattern Analysis on its API logs. An attacker (or curious user) attempting to discover the extent of the exposed data would likely have performed an enumeration attack, requesting data for property_id=1, property_id=2, property_id=3, and so on. This sequential, rapid-fire access to a resource is a classic indicator of an IDOR vulnerability being probed or exploited. A monitoring system that analyzes API access patterns could easily detect this behavior and trigger an alert for the security team to investigate. This would allow the agency to discover the vulnerability itself, even without an external party reporting it, and to identify any actors who may have been scraping the data.

Timeline of Events

1
June 15, 2026

Journalists from ProPublica and CPI disclose the vulnerability to CRIM (approximate date).

2
July 9, 2026

ProPublica and CPI publish their investigation after CRIM denies the breach.

Sources & References

Article Author

Jason Gomes

Jason Gomes

β€’ Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

Data BreachData LeakGovernmentPuerto RicoCRIMProPublicaIDORVulnerability

πŸ“’ Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

πŸ›‘οΈ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

πŸ”— STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph β€” relationships between actors, malware, techniques, and indicators.

⚑ Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.