Government Sector Leak: Puerto Rico's CRIM Exposes 1 Million Social Security Numbers
Executive Summary
A severe, low-complexity data exposure has been uncovered within Puerto Rico's primary municipal tax collection agency, the Centro de Recaudación de Ingresos Municipales (CRIM). Reported on July 9, 2026, by ProPublica and the Centro de Periodismo Investigativo (CPI), the incident has exposed the plaintext Social Security numbers (SSNs) of approximately 1 million individuals. The leak was rooted in a critical authorization bypass vulnerability within CRIM's interactive digital property mapping tool, Catastro Digital. Due to a failure to validate requests on backend database servers, unauthenticated users could easily download raw, structured registries of property owners containing matching names, tax values, and SSNs without a username or password. Security professionals warn that this exposure presents an immediate risk of synthetic identity fraud and targeted phishing campaigns across the island.
Deep-Dive Technical Analysis
The Catastro Digital platform is a web-based geographic information system (GIS) used by citizens and real estate professionals to view property boundaries, sale prices, and tax assessment valuations across Puerto Rico. While the frontend user interface of the map restricted public views to basic property parameters, the underlying API endpoints connecting to the database lacked essential backend authorization controls.
A technical reconstruction of the BOLA/IDOR vulnerability highlights a critical failure in API gateway design:
1. Broken Object-Level Authorization (BOLA): The online map requests property metadata from backend directories using standard HTTP GET queries. Investigators determined that the backend application servers failed to validate whether the requesting client was authenticated or possessed the authorization scopes required to view sensitive object records.
2. Predictable Storage Paths and Folder Exposure: The data requests were processed by backend scripts that pointed directly to static server directories. Because these folder structures were predictable and lacked index-blocking routing rules (Directory Browsing enabled), anyone who analyzed the network traffic of a legitimate map request could map out the server's parent directory paths.
3. Downloading the Plaintext Registries: By sending direct HTTP queries to these unprotected storage folders, an unauthenticated remote client could bypass the Catastro Digital interface entirely. This allowed them to download raw, bulk database files (such as CSV and JSON sheets) containing:
* Plaintext Social Security numbers (SSNs) belonging to approximately 1,000,000 property owners.
* Corresponding full names, home addresses, phone numbers, and land parcel boundaries.
* Detailed property tax evaluations and historical transaction records.
4. Denial and Remediation: When initially notified in mid-June, CRIM administrators publicly denied the existence of the vulnerability, asserting that Catastro Digital does not store confidential taxpayer PII. However, independent verifications confirmed that within days of the disclosure, CRIM technical teams patched the security hole, restricting public access to the backend storage endpoints.
Industry Impact and Recommendations
The CRIM leak highlights the immense risk of deploying public-facing web applications without robust, centralized API gateway security. In an era of automated scraping, any endpoint that exposes direct database references without continuous, server-side authentication will inevitably be mapped and exploited.
We recommend that all municipal agencies, government IT departments, and enterprise web developers implement the following immediate mitigations:
1. Enforce Rigid Server-Side Authentication: Never rely on frontend user interface controls to hide sensitive data. Ensure that every single API endpoint and backend query is subjected to strict, continuous server-side authorization checks using secure OAuth 2.0 or JSON Web Token (JWT) verification models.
2. Disable Directory Browsing and Public Access: Configure web servers (Nginx, Apache, or IIS) to explicitly disable directory listing. Restrict public access to backend data folders, routing all database requests through a secure, mediated API gateway that sanitizes and filters data payloads before they reach the client.
3. Encrypt High-Value PII at the Column Level: Ensure that highly sensitive identifiers—especially Social Security numbers, bank accounts, and national ID hashes—are fully encrypted at rest within database tables using AES-256 standards, preventing raw values from being leaked even during a complete directory exposure.
4. Conduct Thorough API Penetration Testing: Integrate automated Static and Dynamic Application Security Testing (SAST/DAST) tools into local deployment pipelines to scan for broken object-level authorization (BOLA) and insecure direct object reference (IDOR) vulnerabilities prior to production releases.
References:
* ProPublica — A Puerto Rico Government Agency Exposed 1 Million Social Security Numbers
* Check Point Research — 6th July Threat Intelligence Report