The United States Patent and Trademark Office (USPTO) recently disclosed a data security incident involving address information in certain trademark applications from February 2020 to March 2023.
According to the information provided, information security, About 61,000 addresses were affected, representing 3% of all applications during the period.
“On February 24, 2023, we discovered that records obtained through certain application programming interfaces (APIs) of the Trademark Status and Document Review System (TSDR) contained addresses that should have been hidden from public view. I have done so,” said the notice sent to the United States. Affected customers.
APIs allow various software applications inside and outside the USPTO to programmatically retrieve data.
“Further investigation revealed that the same address was also included in a Bulk Data product found at https://bulkdata.uspto.gov,” the notice reads. For context, these data files are typically used in academic and economic research.
“Following its discovery, the USPTO reported the data breach to the department’s senior privacy officer and the Enterprise Security Operations Center,” the spokesperson said. Information security on mail.
The agency stressed that there is no evidence of data misuse at this time and the incident was not caused by malicious activity. However, they take data security seriously and regret the mistake.
Read more about API security: Why API security could be the next big thing in cyber
“Malicious attackers and foreign adversaries love to exploit information from federal agencies, but if left unprotected for a period of time, hackers are more likely to gather information for nefarious purposes. will be,” commented Dean Phillips, executive director of the public sector. Noname Security program.
“Intellectual property, and by extension the USPTO, is a major driver of the long-term economic health of the United States. Undermining it is the goal of some adversaries,” Phillips added.
At the same time, the USPTO clarified that it does not have the same reporting requirements as private companies and state/local agencies.
Although it is required by law to include an address in a trademark application, the USPTO offers individuals the option of requesting non-disclosure or waiving the requirement if they have security concerns.
In any event, the agency said it took swift steps to address the issue, including blocking access to non-essential APIs and removing affected bulk data products. They implemented a permanent fix and replaced the data file with an updated version that omitted the address.
“As of April 1, 2023, addresses have been properly masked and all vulnerabilities have been fixed.”
According to Salt Security field CTO Nick Rago, this data breach highlights the urgency that organizations need to be proactive and vigilant in maintaining proper API inventories.
“In the world of API-first applications, organizations often expose multiple APIs that serve different purposes while accessing the same data set,” says Rago.
“Therefore, it is imperative that organizations be able to continuously discover APIs that exist in their environment.”
