The federal government agency responsible for granting patents and trademarks is alerting thousands of filers whose private addresses were exposed following a second data spill in as many years.
The U.S. Patent and Trademark Office (USPTO) said in an email to affected trademark applicants this week that their private domicile address — which can include their home address — appeared in public records between August 23, 2023 and April 19, 2024.
U.S. trademark law requires that applicants include a private address when filing their paperwork with the agency to prevent fraudulent trademark filings.
USPTO said that while no addresses appeared in regular searches on the agency’s website, about 14,000 applicants’ private addresses were included in bulk datasets that USPTO publishes online to aid academic and economic research.
The agency took blame for the incident, saying the addresses were “inadvertently exposed as we transitioned to a new IT system,” according to the email to affected applicants, which TechCrunch obtained. “Importantly, this incident was not the result of malicious activity,” the email said.
Upon discovery of the security lapse, the agency said it “blocked access to the impacted bulk data set, removed files, implemented a patch to fix the exposure, tested our solution, and re-enabled access.”
If this sounds remarkably familiar, USPTO had a similar exposure of applicants’ address data last June. At the time, USPTO said it inadvertently exposed about 61,000 applicants’ private addresses in a years-long data spill in part through the release of its bulk datasets, and told affected individuals that the issue was fixed.
When reached for comment Wednesday, USPTO’s deputy chief information officer Deborah Stephens told TechCrunch that the new exposure was discovered as part of the agency’s efforts to modernize its IT infrastructure.
“The fix we had in place was all in place, and remains in place,” said Stephens. “As we’re modernizing and taking the legacy systems from the different decades of standards and protocols, the system error happened in the creation and modernization of that bulk data set.”
Stephens said USPTO put in place new checks when collating and publishing its bulk data sets that include “error correction with file creation,” which should prevent future spills of personal information.
“We’re looking at our legacy-to-modern process of being able to identify ways in which we can improve our IT development, processing and delivery by taking more of a holistic approach to our data, and specifically externally or publicly facing systems,” Stephens said.
USPTO told affected individuals that the agency has “no reason to believe” that exposed addresses have been misused.
