Baltimore, one of America’s deadliest cities, leaks identities of residents who reported crimes

An unprotected instance revealed the identities behind 13.5 million complaints submitted since 1989, severely threatening the safety of individuals who have used Baltimore City’s 311 Services.

While reporting a crime is every citizen’s duty, most would expect at least some degree of anonymity in fear of repercussions. The latest find from the Cybernews research team casts a dark shadow over the citizens’ privacy concerns.

On May 8th, the team discovered a publicly accessible Kibana instance belonging to the City of Baltimore. The exposed database did not have authentication or authorization systems to protect it against unauthorized access.

Among troves of sensitive data exposed to virtually anyone, the instance contained reports submitted via the city’s 311 initiative. 311 started off as Baltimore’s non-emergency phone line, which can now be used to interact via a website or app.

According to the researchers, the exposed database revealed the names, email addresses, and phone numbers of people who submitted requests over several decades.

Data sample
Sample of the leaked information. Image by Cybernews.

“Even though 311 is meant for non-emergency services, some residents used it to submit accusations of crime. Exposing this type of data could imperil the ones reporting crimes, especially in a city with one of the highest homicide rates in the US,” researchers said.

As of May 20th, the exposed instance was no longer accessible to the public. Meanwhile, the Baltimore City Office of Information & Technology (BCIT) told Cybernews after the publication went live that analysis of the matter has been started and no City of Baltimore systems or data have been externally breached.

“We know that between early March through early May, some 311 customer data including names, emails and phone numbers were inadvertently exposed to the internet. Through the investigation and Root Cause Analysis, we will identify how this occurred and take steps to address it to ensure an inadvertent exposure of this nature does not happen again,” BCIT said.

What data was exposed?

While the instance was still publicly accessible, the team summarized that the database contained reports and complaints submitted by Baltimore’s residents. Additionally, the instance contained:

  • Reported traffic accidents
  • Housing sanitization requests and complaints
  • Road quality reports
  • Locations and statuses of speed cameras
  • Animal control complaints
  • Accusations of illegal activities

Since most of the data was submitted via the 311 service, some of the reports are already publicly available as the City’s government releases selected reports to the public. However, the number and volume of the data in the instance is significantly higher than what’s publicly available.

According to the team, the instance contained over 13.5 million reports submitted over several decades, some dating back to 1989. Since the 311 service was only launched in 1996, the findings point to the data leak exposing several older, digitized reports.

“The leak undermines the privacy and potentially, security of individuals who reported issues, such as accusations of criminal activity, on the platform. Leaking such reports could be dangerous for Baltimore’s citizens who use the platform, as the city is infamous for ranking at the top of the lists when it comes to violent crime in the US,” researchers said.

For example, last year, Baltimore registered over 45 homicides per 100,000 residents, more than eight times higher than the US average.

Updated on July 2nd [02:30 p.m. GMT] with a statement from BCIT.