The federal government agency responsible for granting patents and trademarks has confirmed it inadvertently exposed about 61,000 filers’ private addresses in a years-long data spill.
The U.S. Patent and Trademark Office (USPTO) said in a notice sent to affected trademark applicants that their private domicile address — often their home address — inadvertently appeared in public records between February 2020 and March 2023.
U.S. law requires applicants to include their private address when submitting a trademark application in efforts to crack down on fraudulent trademark filings.
USPTO said the issue was discovered in one of its APIs, which allows apps used by both agency staff and filers to access a system for checking the status of pending and registered trademarks. (An API allows two things on the internet, such as an app and a server, to communicate with each other.)
USPTO said that the address data also appeared in bulk datasets that the agency publishes online to aid academic and economic research.
“When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented,” the notice read, which TechCrunch obtained from an affected filer.
When reached for comment, USPTO spokesperson Paul Fucito provided more details about the issue: “As indicated in our notice to impacted filers, while domicile addresses are required under trademark law, we took the voluntary step of masking this information in 2020 as part of our efforts to secure the data that the public accesses directly and frequently.”
“We regrettably failed to locate some of the more technical exit points and properly mask the data exported from those points. We apologize for our mistake and will do better to prevent such an incident from happening again, while also preserving our ability to crack down on the historic amount of filing fraud we’re seeing originate overseas,” the spokesperson added.
According to USPTO, the data leak affected about 3% of the total number of applications filed during the three-year period.
USPTO said the incident was resolved on April 1 when domicile addresses were masked and API vulnerabilities corrected.
The notice said that the agency has no reason to believe that the data has been misused.