1 Million Puerto Rican Social Security Numbers Were Exposed, but the Government Denies It

Puerto Rico quietly patched the security flaw but continues to deny that a data breach occurred, leaving citizens vulnerable to tax fraud, identity theft, and phishing attacks.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

A cybersecurity flaw in the systems of Puerto Rico's Municipal Revenue Collection Center (CRIM) has exposed the Social Security numbers of more than one million citizens.[1]

What's shocking is that the agency denied any such vulnerability despite receiving convincing cryptographic proof, thereby evading any liability to notify citizens of the data breach.

This essentially means that if you're among the one million citizens impacted, you will receive no notification or information about the breach from the government, and it's up to you to protect your personal information.

Here's what happened and the steps you can take to protect yourself and minimize the risk of identity theft.

In this article
How was the vulnerability identified?
The government denied any wrongdoing
History of Puerto Rico cyberattacks
What can you do to protect yourself
Bottom line

How was the vulnerability identified?

According to ProPublica's findings, the vulnerability was identified in CRIM's Catastro Digital tool, an online property mapping platform that allows citizens to view data such as tax assessments, public property boundaries, and sales prices of all properties registered on the island.

The flaw was first identified through a joint investigation by the Centro de Periodismo Investigativo (CPI) and ProPublica, which promptly notified CRIM of the underlying vulnerability.

A regular user performing a simple search on the Catastro Digital website would not be able to see the exposed information. However, anyone with knowledge of how the website requests data could view and download personal information — including Social Security numbers — without a username or password.

Worse still, advanced hacking techniques or complex software were not required to extract the data. Anyone with a basic understanding of the website's backend architecture could locate and download unprotected folders containing the personally identifiable information of one million Puerto Ricans.

A cybercriminal could use your leaked Social Security number to commit identity theft, apply for new credit cards or loans, or even file fraudulent tax returns to claim any refunds you're entitled to. Moreover, because the exposed data comes from a property tax platform, you should be especially cautious of phishing emails, text messages, or phone calls claiming to be from CRIM or other Puerto Rican government agencies. These will trick you into revealing even more sensitive information, such as your online banking credentials.

The government denied any wrongdoing

Instead of acknowledging the mistake, the agency flatly denied that any such vulnerability existed. "Following a review of the Catastro Digital platform, it was determined that there was NO breach of confidential personal taxpayer information, as the Catastro Digital does NOT contain or display the type of information alluded to," said CRIM Executive Director Javier García Cintrón.

Interestingly, a few days after notifying CRIM, CPI and ProPublica noticed that the agency had quietly patched the reported security flaws.

By not acknowledging the flaw or the breach, CRIM appears to have avoided the mandatory notification requirement under Puerto Rican law. The legislation states that any entity, including government agencies, must promptly notify users if their personally identifiable information has been breached.

However, since the agency did not acknowledge the vulnerability in the first place, there appears to be no technical requirement to issue such a notification.

Additionally, CRIM did not notify the Puerto Rico Innovation and Technology Service (PRITS), as required under the government's cybersecurity protocol. PRITS oversees government information technology systems across Puerto Rico.

History of Puerto Rico cyberattacks

Unfortunately, this isn't a one-off incident involving the Puerto Rican government. According to ProPublica, PRITS data shows that more than 2 million cyberattack attempts have targeted the Puerto Rican government, around half of which were deemed critical.

For instance, in March 2026, Puerto Rico's Department of Transportation had to cancel all upcoming appointments following a cyberattack. Similarly, last year, many Puerto Rican residents were unable to verify their criminal records due to unauthorized access to the island's Justice Department database.

Back in April 2022, a similar cyberattack crippled Puerto Rico's toll collection system, while in February 2020, a hacked email account belonging to an Employment Retirement System employee led to losses of $2.6 million for the Puerto Rican government.

Following this series of cyberattacks, a law was passed in 2024 requiring government agencies to observe minimum cybersecurity standards and principles. However, the government has failed to implement these standards.

More than 60% of Puerto Rico's 90 local government agencies failed to conduct vulnerability assessments of their IT systems, according to a 2025 report from the Puerto Rico Office of the Inspector General.

Overall, it's logical to conclude that the increasing number of cybersecurity incidents is a direct consequence of the lack of uniform standards across Puerto Rican agencies for protecting personal data.

What can you do to protect yourself

Even though the Puerto Rican government isn't providing notifications or assistance to affected citizens, there are still a few steps you can take to protect your identity.

  1. Get an Identity Protection PIN from the IRS. It’s a six-digit number issued free of charge by the IRS and helps verify your identity when filing paper or electronic tax returns. So, even if a threat actor has your SSN, they’re unlikely to be able to file a return without it.
  2. Consider using an identity theft protection service. These tools can monitor dark web marketplaces, known data breaches, and other databases for your personal information, alerting you if it appears online. Some also help remove your personal information from data broker websites by submitting opt-out or deletion requests on your behalf.
  3. Place a credit freeze to prevent anyone from opening new lines of credit in your name. This service is also free of charge.
  4. Regularly monitor your financial accounts, such as your bank and credit card statements, and promptly notify your financial institution if you notice any unauthorized transactions.
  5. Do not click on suspicious links, especially those claiming to be from Puerto Rican government agencies. As mentioned earlier, the government has denied responsibility, so it's likely that any communication claiming to be about the breach is a scam.

Bottom line

A major cybersecurity flaw, coupled with the Puerto Rican government's repeated failure to implement adequate cybersecurity standards, has led to yet another data breach.

This time, the Social Security numbers of one million Puerto Rican citizens have been exposed. Unfortunately, the government continues to deny that a breach occurred, leaving affected citizens without any official notification or assistance.

Affected citizens, therefore, have to take full responsibility for protecting their digital privacy. File your tax return as early as possible or obtain an IRS Identity Protection PIN to reduce the risk of tax refund fraud.

Additionally, consider placing a credit freeze, monitor your financial accounts over the coming months, and use safeguards such as identity theft protection services to detect any misuse of your personal information.

👉 Citations

  1. A Puerto Rico Government Agency Exposed 1 Million Social Security Numbers

4.8
Editorial Rating
Get Deal
On Aura Identity Theft's website
2026 Editors’ Choice
Best Overall Identity Theft Protection Service
Identity Protection
Aura Identity Theft
PROMOTION: Save Up to 68%
  • ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
  • Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
  • Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription

Author Details
Krishi Chowdhary specializes in digital privacy, cybersecurity, and consumer technology. He has written extensively on online privacy tools and broader cybersecurity topics, including online scams, data breaches, age verification, and emerging digital threats. Krishi believes technology reporting should empower readers, not confuse them, and is committed to making even the most technical subjects easy to understand without compromising on accuracy or depth. His work has appeared in leading technology publications, including CNET, ExpressVPN, and TechRadar, where he has covered topics ranging from cybersecurity incidents and privacy product announcements to artificial intelligence and major technology news

Citations

[1] A Puerto Rico Government Agency Exposed 1 Million Social Security Numbers