The U.S. Patent and Trademark Office (USPTO) has notified thousands of trademark applicants regarding a data breach exposing their private addresses.
This marks the second incident of such magnitude within two years.
In an email dispatched to affected trademark applicants, USPTO revealed that private domicile addresses, including home addresses, were inadvertently made public between August 23, 2023, and April 19, 2024.
This disclosure comes in line with the U.S. trademark law's requirement for applicants to furnish a private address to thwart fraudulent filings.
While routine searches on the agency's website yielded no addresses, approximately 14,000 applicants' private addresses surfaced in bulk datasets published online by USPTO for academic and economic research purposes.
Acknowledging responsibility for the breach, USPTO attributed the exposure to a transition to a new IT system.
The agency clarified that the incident lacked malicious intent, as stated in the email obtained by TechCrunch: "Importantly, this incident was not the result of malicious activity."
Upon identifying the security lapse, USPTO promptly took measures to contain the situation.
This included blocking access to the affected bulk dataset, removing files, implementing a patch to address the exposure, conducting tests on the solution, and subsequently re-enabling access.
This incident echoes a similar breach in June of the previous year, where approximately 61,000 applicants' private addresses were inadvertently exposed. USPTO had then assured affected individuals that the issue had been rectified.
Deborah Stephens, USPTO's deputy chief information officer, explained that the recent exposure was discovered during the agency's efforts to modernize its IT infrastructure.
She emphasized the implementation of new checks in collating and publishing bulk datasets to prevent future leaks of personal information.
"We're looking at our legacy-to-modern process of being able to identify ways in which we can improve our IT development, processing, and delivery by taking more of a holistic approach to our data, and specifically externally or publicly facing systems," Stephens stated.
Despite the breach, USPTO reassured affected individuals that there is "no reason to believe" that the exposed addresses have been misused.