USPTO’s API Flaw Leads to Years-Long Data Leak

Written by

The US Patent and Trademark Office (USPTO) has recently disclosed a data security incident involving domicile information in certain trademark filings between February 2020 and March 2023.

According to information provided to Infosecurity, approximately 61,000 domicile addresses, constituting 3% of the total number of applications during the relevant period, were affected.

“On February 24, 2023, we discovered that domicile addresses that should have been hidden from public view appeared in records retrieved through some application programming interfaces (APIs) of the Trademark Status and Document Review system (TSDR),” reads a notice sent to affected customers.

The APIs allowed different software applications in and outside the USPTO to programmatically retrieve data.

“Further investigation showed that the same domicile addresses also appeared in bulk data products found on https://bulkdata.uspto.gov,” reads the notice. For context, these data files are typically used in academic and economic research.

“Upon discovery, the USPTO reported the data exposure to the Department’s Senior Agency Official for Privacy and its Enterprise Security Operations Center,” a spokesperson told Infosecurity via email.

The Office emphasized that there is currently no evidence of data misuse and that the incident did not result from malicious activity. However, they take data security seriously and regret the mistake.

Read more on API security: Why API Security Could Be the Next Big Thing in Cyber

“Malicious actors and foreign adversaries would love to exploit information from a federal agency, and if left unprotected for any period of time, there’s a high probability that a hacker will gather information for nefarious purposes,” commented Dean Phillips, executive director of public sector programs at Noname Security.

“Intellectual property, and thus the USPTO, is a major driver for long-term economic health in the US. Undermining that is a goal for some adversaries,” Phillips added.

At the same time, USPTO also clarified that it does not have the same reporting requirements as private companies or state/local agencies.

Including domicile addresses in trademark applications is mandated by statute, but the USPTO provides options for individuals to request non-disclosure or waive the requirement if they have safety concerns.

Regardless, the Office said it had taken swift action to address the issue, including blocking access to non-critical APIs and removing the affected bulk data products. They have implemented a permanent fix, replacing the data files with updated versions that omit domicile addresses. 

“Since April 1, 2023, domicile addresses are properly masked, and all vulnerabilities have been corrected.”

According to Nick Rago, field CTO at Salt Security, the data exposure highlights the urgency for organizations to be proactive and vigilant about maintaining a proper API inventory.

“In an API-first application world, organizations often expose multiple APIs with access to the same data sets but serving different purposes,” Rago said.

“This makes it absolutely imperative that organizations have the ability to continuously discover the APIs that exist in their environment.”

What’s hot on Infosecurity Magazine?