The Municipal Revenue Collection Center, known by its Spanish initials CRIM, inadvertently exposed the Social Security numbers of approximately 1 million Puerto Rico residents through its interactive property mapping tool, Centro de Periodismo Investigativo and ProPublica reported. The vulnerability existed in CRIM's Catastro Digital platform, which provides public property records including size, boundaries, tax assessments and owner names for every registered property on the island.
The news organizations notified CRIM of the security hole in mid-June after discovering that anyone with basic knowledge of how websites request data could download unprotected personal information without a username or password. Despite this notification, CRIM Executive Director Javier García Cintrón said his agency determined there was no breach and no protected information was at risk. The agency did not notify affected residents or alert the Puerto Rico Innovation & Technology Service, which oversees government IT systems, as required by law.
This incident is the latest in a string of cybersecurity failures for Puerto Rico's government over the past three years, including ransomware attacks that exposed water utility customer data on the dark web and unauthorized access to the Justice Department's criminal records database that left residents unable to verify their employment eligibility for nearly a week. The pattern has prompted scrutiny from both progressive advocates calling for stronger protections and conservative critics questioning government competence in managing digital infrastructure.
What the Right Is Saying
Conservative critics have framed the incident as evidence of broader government overreach in data collection and mismanagement of IT infrastructure. They argue that Puerto Rico's government has accumulated excessive personal information without adequate safeguards, creating targets for cybercriminals.
Some Republican legislators in Puerto Rico questioned whether the scale of data collected by CRIM was necessary, noting that a property tax collection tool should not require access to Social Security numbers at all. Industry commentators suggested that private-sector companies face stricter cybersecurity requirements and higher penalties, making government agencies less incentivized to prioritize security investments.
Fiscal conservatives also pointed to costs associated with implementing Act 40's requirements, arguing that unfunded mandates on cash-strapped municipalities created compliance challenges. They called for clearer guidance from PRITS and more flexibility in how agencies meet minimum standards rather than prescriptive requirements they say may not fit all municipal contexts.
What the Left Is Saying
Progressive advocacy groups and Democratic lawmakers have called for immediate action to hold CRIM accountable and strengthen Puerto Rico's cybersecurity framework. They argue that the failure to notify 1 million residents whose Social Security numbers may have been compromised represents a fundamental breakdown of government responsibility to protect its citizens.
Community advocates in San Juan pointed to Act 40, the comprehensive cybersecurity law passed by Puerto Rico lawmakers in 2024, as evidence that legislators anticipated these risks but that agencies like CRIM have simply chosen not to comply. The law mandated minimum security standards and required annual risk assessments. Civil liberties organizations said the incident underscores the need for enforcement mechanisms with real teeth, noting that CRIM's refusal to acknowledge the breach or notify residents suggests current penalties are insufficient deterrents.
Activists also raised concerns about identity theft risks for affected residents, many of whom may be unaware their Social Security numbers were potentially accessible for months. They called on PRITS and the governor's office to intervene directly and ensure notification protocols are followed retroactively.
What the Numbers Show
PRITS data shows more than 2 million attempted cyberattacks have been recorded within Puerto Rico's government systems so far this year, with half classified as critical incidents involving severe impact on operations or compromise of sensitive data. This represents a significant increase from previous years and underscores the growing scale of threats facing public infrastructure.
A Puerto Rico Inspector General report released late last year found deficiencies across 90 local government agencies, with 60% failing to conduct vulnerability assessments of their IT systems as required by law. The report documented inconsistent security protocols across agencies and inadequate investment in basic protective measures like multifactor authentication.
The Catastro Digital platform contained records for approximately 1 million properties, meaning the breach potentially exposed Social Security numbers for a substantial portion of Puerto Rico's 3.2 million residents who own property on the island. CRIM has not disclosed how long the vulnerability existed before it was patched several days after journalists contacted the agency.
The Bottom Line
The exposure of 1 million Social Security numbers through a government property tax tool raises immediate questions about CRIM's compliance with Puerto Rico's data breach notification requirements and its obligations under Act 40. While PRITS data shows cyberattacks on government systems are increasing in both frequency and severity, the Inspector General's findings suggest most agencies have not completed required vulnerability assessments, leaving known gaps unaddressed.
CRIM's decision not to notify affected residents means many may be unaware their personal information was potentially accessible for months or years. State law requires prompt notification when personal data is breached, but García maintained no protected information was at risk despite journalists' verification of the security hole. The agency also did not inform PRITS of the incident as required by cybersecurity protocols.
Cybersecurity experts say the reactive approach documented in this case—patching vulnerabilities only after discovery rather than conducting regular assessments—is insufficient against increasingly sophisticated attacks. With 2 million attempted breaches already recorded this year and critical incidents on the rise, agencies face mounting pressure to demonstrate they can protect citizen data under existing law.