The California Department of Motor Vehicles (DMV) announced Thursday that personal information of California drivers may have been leaked through a computer breach.
According to the DMV, the Seattle-based Automatic Funds Transfer Services (AFTS), a department contractor that verifies vehicle registration addresses, had a ransomware attack initiated against them earlier this month. This included 20 months-worth of DMV data including vehicle owner names, addresses, license plate numbers, and vehicle identification numbers (VIN). Due to the parameters of the verification process, data not given to AFTS and thus was safe from the attack included more sensitive information, such as Social Security numbers, birthdates, and other data.
All together, just under 40 million DMV vehicle records may have been hacked.
“We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with,” noted the DMV on Wednesday. “Approximately 38 million records have potentially been compromised.”
The total number of affected people is currently unknown, as many drivers, companies, and other business entities can have numerous registered vehicles.
Upon learning of the leak earlier this month, the DMV immediately stopped all data sharing with AFTS, has begun an investigation into the ransomware attack to determine what, if any, information was obtained, and alerted the Federal Bureau of of Investigation (FBI) and other law enforcement agencies.
“AFTS is contracted with numerous public sector groups all along the West Coast, including the city of Seattle,” explained Bay Area-based client verification consultant Jeff Abrams to the Globe. “They mostly have Washington State clients, but as the California DMV proves, it’s elsewhere too.
“Attacks like these are unfortunately something that can happen, and have been growing by the number of occurrences for years. Russian and Chinese hackers are often the most likely suspects, but there are many cases coming from allied nations and within the U.S. too.
“In the case of the DMV, it’s still too early to tell what exactly was breached. The DMV had over 38 million records in there alone.
“Regardless, the DMV should get a new contractor after this. After any big breach, there is usually a huge shuffle of contractors service providers because those affected usually don’t like staying with the company who wronged them. The DMV would be crazy not to after this, because this is truly serious.”
The DMV is expected to announce the full scale of the breach and what, if any, data was taken in the near future.