A Puerto Rico government agency accidentally put roughly 1 million people's Social Security numbers on the open internet, no username or password required. Then, when reporters told them about it, the agency's top official looked straight into the camera and said there was no problem. Then they quietly fixed the problem.
What CRIM Left Out in the Open
The Municipal Revenue Collection Center, known by its Spanish initials CRIM, runs an online property map called the Catastro Digital. According to ProPublica and Centro de Periodismo Investigativo, the tool is publicly accessible and lists things like property boundaries, sale prices, tax assessments, and owner names. Normal stuff. Fine.
Except buried underneath that public-facing interface, sitting on unprotected servers with no authentication of any kind, were the Social Security numbers of approximately 1 million people. Anyone with even a basic understanding of how websites make data requests could have downloaded the whole pile. No login. No password. No barrier whatsoever.
ProPublica and CPI found the vulnerability and notified CRIM in mid-June. They provided the agency with a detailed description of exactly where the compromised data lived, including the specific server and folders. This was a gift. A roadmap. A flashing neon sign saying 'please fix this.'
The Denial Was Impressive in Its Confidence
CRIM Executive Director Javier García Cintrón did not thank the reporters. He did not quietly fix the issue and move on. He issued a statement with the words 'NO breach' and 'does NOT contain' in capital letters, as though shouting the denial louder would make it more true.
'Following a review of the Catastro Digital platform, it was determined that there was NO breach of confidential personal taxpayer information, as the Catastro Digital does NOT contain or display the type of information alluded to,' García told ProPublica and CPI.
A few days after that statement, the reporters checked again. The security holes had been patched. When asked about the fixes, García said there was nothing to fix, because there had been no problem. The patches apparently patched themselves. Ghosts, presumably.
The Law Says Notify Users. García Said No.
Puerto Rico has an actual law on this. It requires any entity, including government agencies, to promptly notify users when their personal information has been breached. García's response, according to ProPublica, was that CRIM would not be notifying anyone because, in his telling, 'no protected information was at risk.'
So the roughly 1 million people whose Social Security numbers were sitting on an open server got nothing. No letter. No email. No heads-up to maybe keep an eye on their credit reports.
The agency also did not notify the Puerto Rico Innovation and Technology Service, known as PRITS, which oversees all government IT systems and whose own cybersecurity protocol requires agencies to report any suspected security incident. PRITS, for its part, declined to answer reporters' questions and directed them to file a formal public information request, which is normally a tool for citizens to obtain government records, not a way for agencies to dodge press inquiries.
This Is Not a One-Off
Here is where the story gets genuinely grim. The CRIM breach did not happen in a vacuum. ProPublica reports that in the past three years alone, Puerto Rico has seen technology breaches interrupt government services, knock websites offline, and push citizens' personal information onto the dark web. In 2023, a ransomware attack hit the island's water utility. Last year, residents couldn't verify their criminal records for almost a week after an unauthorized access to the Justice Department's database. In March of this year, driver's license and registration appointments were postponed after an attack on Transportation Department systems.
PRITS data shows more than 2 million attempted cyberattacks on Puerto Rico government systems so far this year. Half were classified as critical incidents, meaning severe impact on operations, compromised sensitive data, or an imminent threat to agency security.
In 2024, Puerto Rico's legislature passed a comprehensive cybersecurity law, Act 40, mandating minimum security standards across all agencies, annual risk assessments, and penalties for noncompliance. Three cybersecurity experts told ProPublica that agencies have broadly failed to implement it. A Puerto Rico Inspector General report released late last year found deficiencies across 90 government agencies, with 60% of them failing to conduct vulnerability assessments of their own IT systems.
The Bigger Problem Nobody Wants to Fix
Carlos Pérez, a cybersecurity expert and director of security intelligence at TrustedSec, told ProPublica the government would be in 'much better shape' if it focused on basics like employee training and multifactor authentication. 'We are addressing the symptom but not the disease,' he said.
A former government IT employee, who asked to remain anonymous over fears about professional blowback, told ProPublica that Act 40 falls short of requiring unified security standards across agencies. That gap has let individual agencies decide for themselves how to protect sensitive personal data. Which is how you end up with a property map quietly holding a million Social Security numbers behind a door that wasn't locked.
ProPublica also points out that several private companies sell Puerto Rico real estate data sourced from public databases like Catastro Digital. Any of them could theoretically have accessed the compromised information during the time the vulnerability was open. Three property listing companies contacted by the reporters said they had no knowledge of the vulnerability and did not access the sensitive data. Which is reassuring, as far as it goes.
The Dingo Take
Let's be precise about what happened here. A government agency exposed approximately 1 million Social Security numbers on the open internet. Journalists found it, documented it, and handed the agency a detailed roadmap of exactly what was wrong. The agency's executive director issued a formal denial with capitalized words for emphasis. The agency then fixed the thing that didn't exist. And then the executive director said again that there was nothing to fix. This is not confusion or bureaucratic fumbling. This is an official choosing a lie and holding it with both hands.
The denial matters more than the breach in some ways. Breaches happen. Governments get hacked. Systems fail. What's not supposed to happen is a senior official telling 1 million people that nothing went wrong, that they don't need to worry, that the law requiring notification doesn't apply because he personally has decided no data was at risk. That's not a mistake. That's a choice, made on behalf of people who had no say in it.
Puerto Rico passed a cybersecurity law in 2024. It has teeth on paper. Sixty percent of agencies aren't bothering with vulnerability assessments. Half of the 2 million cyberattacks recorded this year were deemed critical. The Inspector General found deficiencies across 90 agencies. And when reporters uncovered a real, specific, documented hole in a government system, the response was denial and silence toward the public. The disease, as the expert put it, is still very much untreated.