SYS::ONLINE
Wasteland.
Briefs1143
Issues18
SinceFeb 2026
LIVE
▣ Breach PUERTO-RICO-CRIM 2026-07-09

CRIM Puerto Rico: Exposed Property Map Leaks 1 Million Social Security Numbers

"Here is the complete intel brief article."

Here is the complete intel brief article.


title: "CRIM Puerto Rico: Exposed Property Map Leaks 1 Million Social Security Numbers" date: 2026-07-09 slug: puerto-rico-crim-data-exposure


CRIM Puerto Rico: Exposed Property Map Leaks 1 Million Social Security Numbers

Puerto Rico's Municipal Revenue Collection Center (CRIM), the government agency responsible for collecting property taxes across the island, inadvertently exposed the Social Security numbers of approximately 1 million people, according to a joint investigation by Centro de Periodismo Investigativo (CPI) and ProPublica. The exposure stemmed from the agency's public-facing interactive property map, the Catastro Digital, which served unprotected personal data to anyone who understood how to inspect the requests the website made. The vulnerability required no username, no password, and no sophisticated tooling to exploit.

What Happened

CPI and ProPublica identified a vulnerability in CRIM's Catastro Digital, an online tool that displays information such as size, boundaries, tax assessment, sale price, and owner name for every registered property in Puerto Rico. The news organizations notified CRIM of the flaw in mid-June, providing the agency with a detailed technical description that named the specific server and folders holding the compromised data.

Despite the detailed disclosure, CRIM repeatedly denied any problem existed. Executive Director Javier García Cintrón stated that a review of the platform determined there was no breach of confidential taxpayer information and that the Catastro Digital did not contain or display the type of data described. Yet within a few days of being contacted, the reporters observed that the security holes had been quietly patched. García denied that any fix had been necessary or performed.

The incident is the latest in a run of cybersecurity failures for the Puerto Rico government, which over the past three years has seen breaches interrupt public services, take websites offline, and result in citizens' personal information being published on the dark web.

What Was Taken

The exposed dataset centered on Social Security numbers belonging to roughly 1 million people, tied to property ownership records. While a casual search of the interactive map surfaced only routine public property details, the underlying data requests served far more sensitive personal information than the front-end interface displayed. Anyone familiar with how browsers request backend data could download these unprotected records directly from the exposed server folders.

Social Security numbers are among the most damaging identifiers to leak. They are static, cannot be reset like a password, and serve as a primary key for identity theft, fraudulent tax filings, and synthetic identity fraud. With property ownership context attached, the exposed data becomes an even richer resource for targeted social engineering and financial fraud against Puerto Rican residents.

Why It Matters

This incident is a textbook case of both a data exposure and an institutional failure to respond. The technical flaw was serious but ordinary. What compounds it is CRIM's refusal to acknowledge the breach, notify affected residents, or report the incident up the chain.

Puerto Rico law requires any entity, including government agencies, to promptly notify individuals when their personal information has been breached. García stated the agency would not contact users because, in its view, no protected information was at risk. CRIM also failed to notify the Puerto Rico Innovation and Technology Service (PRITS), the body overseeing all government IT systems, even though the government's own cybersecurity protocol requires reporting any suspected security incident. For defenders, this underscores that a technical patch without disclosure leaves victims unaware and unable to protect themselves, and it erodes the reporting discipline that any incident response program depends on.

The broader threat environment is severe. PRITS data shows more than 2 million attempted cyberattacks against the Puerto Rico government so far this year, with half classified as critical incidents carrying severe impact on critical operations.

The Attack Technique

There is no evidence of a sophisticated intrusion. The exposure was a classic broken access control and insecure direct object reference pattern. The Catastro Digital's web application made backend requests to a server for property data, and the sensitive fields, including Social Security numbers, were returned in those responses without any authentication or authorization gating.

An analyst using nothing more than browser developer tools or a basic understanding of the application's data requests could observe the server and folder paths, then retrieve the unprotected files directly. No credentials were needed, no exploit code was required, and no defensive control stood between the public internet and the sensitive records. The front-end map masked the data, but masking at the presentation layer is not a security control when the raw data remains fetchable underneath.

What Organizations Should Do

Sources: A Puerto Rico Government Agency Exposed 1 Million Social Security Numbers — ProPublica