If you called Baltimore’s 311 line at any point in the past 34 years with the expectation of privacy or anonymity, you might be mistaken.
A Thursday article from Cybernews reported the discovery of an unprotected database containing the information of people behind 13.5 million submissions, most of which appeared to come from the city’s 311 service.
“This is one of the largest data leaks discovered by Cybernews,” Aras Nazarovas, a junior information security researcher at the outlet, told Technical.ly.
“The instance contained data from 1989 to the present day,” Nazarovas said, “including private communications and personally identifiable information of its citizens.”
Leaked information included people’s names, phone numbers and email addresses, according to the outlet, which published a redacted screenshot of database information. Exposed details were connected to requests and complaints related to a mix of topics, including housing, traffic incidents, speed cameras, animal control, reported unlawful activity and road quality.
Baltimore currently maintains 311 services through the traditional phone line, a website and a mobile app.
The tech- and cybersecurity-focused online publication, which says it uses “white-hat hacking techniques to find and safely disclose cybersecurity threats and vulnerabilities,” reported that it uncovered this data on May 8 via Kibana, a data visualization software platform for the Elastisearch search engine.
Researchers are certain the database belonged to the City of Baltimore, per Nazarovas, because it was using using the baltimorecity.gov SSL certificate, an electronic document that authenticates a site’s identity.
Though originally open, the information was no longer publicly accessible as of May 20, per the report.
In addition to asking city government about the situation and giving officials time to respond, the Cybernews team alerted federal authorities about the breach, Nazarovas said.
Baltimore launched its non-emergency 311 line in 1996, making it one of the first in the US to do so, according to the city. The service logged its first service request in 2001.
Those requests are now all regularly published in a map, allowing residents to watch progress and see what their neighbors have already addressed via the system. However, no submitter information is included on that interactive map.
A disclaimer on the official Baltimore 311 government landing page advises users not to share too much personal information when placing a service request:
“The city encourages users of its on-line 311 portal to provide only information that is required or requested, and to avoid including any unneeded, personally identifiable information (PII) such as social security numbers.”
The City of Baltimore’s Office of Information and Technology said that the situation is being investigated, with a “Root Cause Analysis” underway.
“No City of Baltimore systems or data have been externally breached,” the office said via a spokesperson in the mayor’s office. “We know that between early March through early May, some 311 customer data including names, emails and phone numbers were inadvertently exposed to the internet. Through the investigation and Root Cause Analysis, we will identify how this occurred and take steps to address it to ensure an inadvertent exposure of this nature does not happen again.”
Baltimore is no stranger to cyber attacks. A 2019 ransomware attack — one of many to hit regional government and private institutions in the last decade — left the city spending about $10 million to fix the breach.
Updated June 21 and 25 to include comments from Cybernews and the city’s Office of Information and Technology, respectively.
Before you go...
Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.
Join our growing Slack community
Join 5,000 tech professionals and entrepreneurs in our community Slack today!