The US Patent and Trademark Office has been leaking user details for several years

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

The US Patent and Trademark Office (USPTO), the government agency that handles patent and trademark requests, has been operating a faulty application programming interface (API) which was leaking people’s postal addresses for several years.

The organization has notified thousands of its filers about the mishap, explaining what had happened and what it did to remedy the issue.

“When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented,” the body wrote in the notification sent out to the filers. 

Three years of leaks

The API had been leaking data since 2020, until it was finally fixed in early April 2023, when the addresses were masked and the faulty API fixed. 

In a statement given to TechCrunch, USPTO spokesperson Paul Fucito explained that the postal addresses were mandatory for all filers as means of tackling fraudulent applications: 

“As indicated in our notice to impacted filers, while domicile addresses are required under trademark law, we took the voluntary step of masking this information in 2020 as part of our efforts to secure the data that the public accesses directly and frequently,” he said.

“We regrettably failed to locate some of the more technical exit points and properly mask the data exported from those points. We apologize for our mistake and will do better to prevent such an incident from happening again, while also preserving our ability to crack down on the historic amount of filing fraud we’re seeing originate overseas,” Fucito concluded.

In total, some 61,000 patent and trademark filers have had their physical addresses leaked online, representing roughly 3% of all the applications filed in the three-year period. 

USPTO believes no one found the flaw and claims there’s no evidence of any misuse.

Via: TechCrunch

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.