The US Patent and Trademark Office (USPTO) has admitted to suffering a multi-year data leak in which it unknowingly revealed the private addresses of up to 61.000 patent filers.
US law requires trademark applicants to include a private domicile address, which will often be a home address, in their filings in a bid to verify the applications as genuine and combat fraud.
However, it appears that between February 2020 and March 2023 these details were also appearing in public records, according to a notice sent by the USPTO to those affected by the spill. It's important to note that this leak is the result of an error, rather than a malicious data breach.
The USPTO Data Leak Explained
Of course, data doesn't just magically leak online. As first reported by TechCrunch, the USPTO inadvertently exposed the private addresses in two ways: via the API used to power its patent status checking system, and also in the bulk datasets it makes available to researchers in academic and economic fields online.
The USPTO says it “blocked access to all USPTO non-critical APIS and took down the impacted bulk data products” immediately upon discovering the leak, according to the notice sent to one of the affected parties seen by the website.
In a further statement, USPTO spokesperson Paul Fucito added that the government body had been “voluntarily” masking applicant address details since 2020 but that the regulator had “regrettably failed to locate some of the more technical exit points and properly mask the data exported from those points.”
It's understood that the roughly 61,000 filers who were affected by the leak make up approximately 3% of total applicants during the affected period. The USPTO added that the issue was resolved from April 1, 2023 when the API and related vulnerabilities were fixed.
Data Leak vs Data Breach: What's the Difference?
At this point, it's worth highlighting that a data leak is very different from a data breach. What happened at the USPTO is a regrettable error, though the agency has stressed that it's currently unaware of any misuse of the details that were exposed and there was no malicious intent behind the incident.
A data breach is something much nastier and is when hackers steal information from a database or dataset, often for nefarious purposes. The details affected might then be used as the basis for phishing attacks, like in the recent Coinbase phishing scam, or sold on the dark web for financial gain. Alternatively, it might then be leaked publicly to cause embarrassment to a specific organization or individual.
In other words, in a data breach someone comes in and takes your data, whereas a data leak is when information accidentally spills out into the public realm. The fact that an organization as high-profile as the USPTO suffered a data leak is still worrying, however, given the potential of private address information to be misused for fraudulent purposes such as identity theft.
How To Stop Data Leaks at Your Business
If you're worried about data leaks at your business, then there are a few practical things you can do to make it less likely that they occur.
According to UpGuard, the number one cause of data leaks is misconfigured software settings. This strongly suggests an element of human error is involved in many data leaks, so making sure your employees are happy and well-rested is the obvious place to start. One popular business trend in 2023 sees an increasing number of companies offering a 4-day work week to their staff, with the idea being that it's easier to sustain peak performance over a shorter period of time.
Another important point is to make sure you have enough staff to look after your data and IT security in the first place. There's no getting away from the fact that company layoffs are everywhere this year, and while we aren't here to tell you how to run your company, the fact is that cutting costs can have unexpected consequences. Don't make your data protection one of them, as while the USPTO seems to have escaped relatively unscathed from its data leak, there are always cyber crooks waiting to pounce on leaked data. In some regions, there are also regulators who can impose financial penalties for data leakage, due to localized personal privacy laws.