US Patent Office Data Spill Exposes Trademark Applications
Misconfiguration exposed the physical addresses of 60,000 patent filers over three years.
The US Patent and Trademark Office (USPTO) informed more than 60,000 trademark application filers that it mistakenly left their physical addresses exposed to the public Internet for three years.
A leaky API was the culprit, according to reports, and left data sets exposed, including addresses collected from applicants, which are mandatory when they file for a trademark with the USPTO.
"When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented," the notice sent to impacted filers and shared with TechCrunch read.
A spokesperson added the leak affected about 3% of the applications filed during the three-year time period.
"We regrettably failed to locate some of the more technical exit points and properly mask the data exported from those points," a USPTO spokesperson added. "We apologize for our mistake and will do better to prevent such an incident from happening again, while also preserving our ability to crack down on the historic amount of filing fraud we’re seeing originate overseas."
Jason Kent, hacker in residence with Cequence Security, said in a statement provided to Dark Reading that this type of API misconfiguration is precisely what cyberattackers are trawling for across the Internet.
"The more technical exit points are the ones the attackers tend to prefer," Kent said. "In 2023 API security parlance, they had API9:2023 Improper Inventory Management that allowed an attacker to find the endpoint, learn that it wasn’t authenticated API2:2023 Broken User Authentication that could have allowed an automated attacker to pull all of the impacted data in a very short period of time, API6:2023 Unrestricted Access to Sensitive Business Flows."
About the Author(s)
You May Also Like
Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024