The US Patent Office accidentally leaked thousands of filers’ home addresses

The data leak lasted from February 2020 to March 2023, and affected 3 percent of all applicants.
Black and white photo of government workers in a patent filing office
The U.S. Patent Office, between 1918 and 1928—back when you didn't have to worry about computer leaks. HUM Images/Universal Images Group via Getty Images

Share

An estimated 61,000 trademark filers’ private addresses were accidentally made available within public records for years, according to a recent announcement from the US Patent and Trademark Office (USPTO). In a notice first obtained by TechCrunch and subsequently provided to PopSci, the USPTO explained to affected trademark applicants that their address data also inadvertently appeared in bulk datasets previously published online for economic and academic research uses.

Between February 2020 and March 2023, roughly 3 percent of all applications were affected by the data oversight, although government officials believe there is no reason to suspect any bad actors mishandled the exposed addresses. The USPTO finally uncovered the unshielded residence information within one of the USPTO’s application programming interfaces on February 24, 2023. An API is often used by websites to enable data access for third-parties such as researchers. In this case, the API allowed federal employees and filers to access a system that displayed application statuses.

“When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented,” reads a portion of the notice. According to the USPTO, the issue was fully resolved on April 1, and at no point did these addresses surface during regular searches on the USPTO website.

[Related: This app helped police plan raids. Hackers just made the data public.]

Within US trademark law, individuals and businesses must include a private domicile address whenever submitting a trademark application, thus offering a relatively simple tool in “combatting fraudulent trademark filing activity,” says the USPTO’s notice. Although some applicants choose to use a business address, many simply opt for their own home address. In the letter provided to PopSci, the USPTO stated the regulations also help determine if applicants are required to hire a US-licensed attorney to represent them before the USPTO.

“Importantly, this incident was not the result of malicious activity, and we have no reason to believe that your domicile information has been misused. Nevertheless, we take all data security concerns seriously, and we apologize for our mistake,” the letter reads.

Correction: A previous version incorrectly stated the data leak affected “patent applications.” The leak only affect trademark applicants. The article has been updated accordingly.

 

Win the Holidays with PopSci's Gift Guides

Shopping for, well, anyone? The PopSci team’s holiday gift recommendations mean you’ll never need to buy another last-minute gift card.