San Juan-Puerto Rico’s Office of the Inspector General (OIG) has identified serious control failures in the Karibe system — the digital platform used to manage the island’s Property Registry — leaving $3,663,690.75 in unredeemed credits vulnerable to unauthorized use, according to a report released Thursday.
The audit of the Digital Real Estate Registry, which operates under the Department of Justice, found deficiencies in how credits are issued, used, and managed, as well as weaknesses in system access controls, security infrastructure, and internal oversight.
Credits With No Named Beneficiary
Karibe generates credits — issued when a document is withdrawn or when filing fees are overpaid — without specifying to whom they are assigned. That design flaw means anyone, not just the originally designated party, can use them.
In a sample of 47 credits ranging from $5,070 to $49,544, auditors found two credits totaling $26,850 that had been redeemed by a notary or filer different from the one originally designated. The OIG warned this creates confusion over ownership, facilitates unauthorized use, and exposes the Registry to legal disputes.
For the period from July 1, 2023 to May 6, 2025, the Registry issued 34,074 credits totaling $6,715,324.85. Of those, 22,452 — worth $3,663,690.75 — remain unredeemed. Another 11,587 were redeemed for $3,001,484.10 and 35 were canceled for $50,150.
Unrestricted Access to Sensitive Data
The report found that users with technician, supervisor, and registrar credentials all had access to the module containing both redeemed and unredeemed credits — and could download and print unredeemed credits without restriction or supervisory approval. The only validation required was entering a serial number, confirming the credit hadn’t been used, and verifying the amount matched the system record.
Beyond the credits module, the OIG identified systemic failures in account management. At the time of the review, the Registry had 333 active Karibe accounts, including 11 with administrative privileges — four as super-administrators and seven as system administrators. A review of 44 accounts belonging to former employees who left between July 2023 and May 2025 found that one account remained active for 292 days after the employee’s departure.
A Single Employee With Too Much Power
Perhaps the most significant finding involves the Helpdesk-Karibe office. Staff there held unlimited super-administrator credentials while simultaneously performing substantive Registry functions — including processing mortgage cancellations, property sales, heir declarations, easements, condemnations, and estate partitions.
The OIG said this combination allows a single employee to control critical stages of both the registration process and the underlying system, “increasing the risk of errors, irregularities, and misuse of privileges without timely detection.”
Security Gaps
The report also flagged that no vulnerability testing has been conducted on the Karibe application, that data at rest is not encrypted, and that there is no formal change management system to document, evaluate, and audit modifications to the platform.
What the OIG Is Recommending
The Inspector General’s recommendations include modifying the credit format to identify the beneficiary, requiring identity verification before redemption, restricting printing and download capabilities to the registrar role, eliminating shared generic accounts, limiting administrative privileges, and establishing automated periodic access reviews. On the security side, the OIG called for annual penetration testing, vulnerability scanning, encryption controls for data at rest, and a formal change management system with approval workflows and audit trails.
Karibe has been operating since March 2016 under Puerto Rico’s Real Estate Property Registry Law, enabling notaries and registered users to digitally file deeds, conduct title searches, and manage property-related transactions.
