An estimated 61,000 patent filers’ private addresses were accidentally made available within public records for years, according to a recent announcement from the US Patent and Trademark Office (USPTO). In a notice first obtained by TechCrunch and subsequently provided to PopSci, the USPTO explained to affected patent applicants that their address data also inadvertently appeared in bulk datasets previously published online for economic and academic research uses.
Between February 2020 and March 2023, roughly 3 percent of all applications were affected by the data oversight, although government officials believe there is no reason to suspect any bad actors mishandled the exposed addresses. The USPTO finally uncovered the unshielded residence information within one of the USPTO’s application programming interfaces on February 24, 2023. An API is often used by websites to enable data access for third-parties such as researchers. In this case, the API allowed federal employees and filers to access a system that displayed application statuses.
“When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented,” reads a portion of the notice. According to the USPTO, the issue was fully resolved on April 1, and at no point did these addresses surface during regular searches on the USPTO website.
[Related: This app helped police plan raids. Hackers just made the data public.]
Within US patent law, individuals and businesses must include a private domicile address whenever submitting a trademark application, thus offering a relatively simple tool in “combatting fraudulent trademark filing activity,” says the USPTO’s notice. Although some applicants choose to use a business address, many simply opt for their own home address. In the letter provided to PopSci, the USPTO stated the regulations also help determine if applicants are required to hire a US-licensed attorney to represent them before the USPTO.
“Importantly, this incident was not the result of malicious activity, and we have no reason to believe that your domicile information has been misused. Nevertheless, we take all data security concerns seriously, and we apologize for our mistake,” the letter reads.