The U.S. Patent and Trademark Office acknowledged Thursday that 61,000 private addresses of trademark applicants were inadvertently exposed in a years-long data leak between February 2020 and March 2023.
The trademark office said the data leak affected about 3% of the total number of trademark applicants filed during the three-year period and that the issue was fully fixed on April 1, without any data having been misused.
“Upon discovery, the USPTO reported the data exposure to the Department’s Senior Agency Official for Privacy and it’s Enterprise Security Operations Center, which in turn reported the exposure to the Department of Homeland Security. As you are aware, the USPTO also notified affected parties of the exposure,” a USPTO spokesperson emailed FedScoop.
“The USPTO has no reason to believe that the data has been misused,” the spokesperson added.
U.S. law requires trademark applicants to include their private address when submitting an application in order to combat fraudulent trademark filings.
The trademark office said in a notice sent to all those impacted by the data leak that by April 1 the issue had been fully fixed by properly masking all of the private addresses and correcting all system vulnerabilities found.
The trademark office said that in February it discovered that private domicile addresses that should have been hidden from public view appeared in records retrieved through some application programming interfaces (APIs) of the Trademark Status and Document Review system (TSDR). The APIs are used in apps by both agency staff and trademark filers to access the TSDR system for checking the status of pending and registered trademarks.
Some private addresses also appeared on the bulk data portal of the USPTO website.
The trademark office highlighted that as a federal government agency, the USPTO does not have the same reporting requirements as a private company or a state or local agency would and does have a process whereby those who do not want their address to be shown publicly can request that it is not made public or they can waive the requirement altogether.
Details of the USPTO leak were first reported by TechCrunch.