Off the Kuff Rotating Header Image

cybersecurity

So about that DPS delay in notifying the victims of the credential stuffing attack

Mar 2nd, 2023
by Charles Kuffner.
Comments are off for this post

Here’s their explanation.

[DPS Director Steve] McCraw said DPS officials kept the news under wraps to avoid jeopardizing the agency’s investigation, including efforts to arrest the fraudsters who organized the scheme.

The explanation came in response to questioning from state Rep. Mary González, D-El Paso, who expressed bewilderment over the delay.

“So, hold on,” González said. “It could be my driver’s license, and somebody could be going around as Mary González right now for two months, and nobody has been notified.”

González also queried McCraw and one of his top deputies, Jeoff Williams, about whether the state could face fines for possibly running afoul of federal regulations requiring timely notice of certain security breaches.

Williams, DPS’ deputy director of law enforcement services, said that was not the case. He added that the criminal investigation — which includes at least four states — “has taken priority at this point.”

“We recognize that there’s a requirement to notify people, and we want to do that more than anyone, believe me,” Williams said. “ — We’re going to handle each one of those (affected Texans) with the individual care that’s required, given what occurred to them.”

On Tuesday, DPS confirmed that it had begun sending letters informing victims of “fraudulent activity that resulted in your driver license card being sent to an unauthorized party.” The agency reportedly told the victims they would be issued a new replacement license at no charge.

Under state law, anyone who “conducts business” in Texas and owns or licenses data that includes “sensitive personal information” is required to notify people within 60 days if their information is compromised in a breach. The law provides an exception, however, if a law enforcement agency “determines that the notification will impede a criminal investigation.”

“The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation,” the law states.

In 2021, state lawmakers tacked on a requirement to notify the state attorney general about any breach that involves at least 250 Texans. The attorney general’s office is required to post a publicly accessible list of the breaches on its website, updated within 30 days of each breach notice.

The attorney general’s office has tallied 468 such breaches since the law took effect in September 2021 — an average of 26 per month.

See here for the background. I get the reason for the delay, though perhaps there should be some limit to that, and the earlier stories mentioned that the FBI and Homeland Security were also involved, so that’s good. I just don’t trust Steve McCraw. But unless there’s some other nuance to this, I’ll have to get over it.

Of more interest to me is what DPS and the Texas Department of Information Resources will learn from this. Will they take proactive steps to notify their customers whose passwords are known to have been compromised? How about doing a better job of screening where these logons come from, and put in extra verifications to filter out unwanted foreign actors? McCraw specifically said there weren’t adequate controls in place. What controls does he have in mind, and who is responsible for implementing them? Put the cybersecurity stuff aside for a second, was this an unusual number of license requests, was there a way to detect that, and what if anything was supposed to be done if so? And if there wasn’t any way to flag that as suspicious, is there now? This is the kind of review process that an enterprise has to undertake when there is a successful attack like this. All of us drivers license holders need to know that this is happening. Please keep the pressure on them, legislators.

DPS victimized by credential stuffing attack

Mar 1st, 2023
by Charles Kuffner.
2 comments

That’s the technical term for this.

The Texas Department of Public Safety was duped into shipping at least 3,000 Texas driver’s licenses to a Chinese organized crime group that targeted Asian Texans, DPS Director Steve McCraw told a Texas House committee on Monday.

The crime group worked through the state’s government portal, Texas.gov. The agency, which discovered the security breach in December, will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.

“We’re not happy at all, I can tell you that, one bit,” McCraw said in testimony to a House Appropriations subcommittee. “They should have had — controls should have been in place, and they never should have happened.”

The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.

That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.

The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.

The investigation into the stolen driver’s licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.

House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.

“Somebody could be going around as Mary González right now for two months, and nobody’s been notified, I [wouldn’t have been] notified,” González said.

DPS officials are not calling the incident a “data breach” because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that “should never have happened,” McCraw said.

Texas.gov is operated not by DPS, but by the Texas Department of Information Resources.

DPS officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.

DIR spokesperson Brittney Booth Paylor dismissed the notion that the incident was a cybersecurity breach, calling it “a case of fraudulent criminal activity based on factors unrelated to state systems.”

[…]

The problem was first detected in December when a third-party Texas.gov payment vendor “alerted DPS to an increase in customers challenging credit card charges for online transactions,” according to a February letter sent to lawmakers from the DPS. The credit cards used to buy the fraudulent copies were also stolen, authorities said.

Before investigators shut down the operation, McCraw said, the license thieves were able to use the site, billed as “the official website of the State of Texas,” to obtain driver’s licenses that are “Real ID compliant” — not cheap copies, McCraw said.

These stolen licenses can pass verification methods and be used fraudulently all over the country because they are real driver’s licenses being used by people who can pass for the photo on the original card, McCraw said.

See here if you want to learn a bit more about what a credential stuffing attack is. Long story short, don’t reuse your passwords and enable two-factor authentication where you can.

Putting my cybersecurity hat on for a minute, I will say that the DIR response to this is disingenuous. It’s true that there are plenty of pwned password lists available on the internet, and that it’s not Texas’ fault if people reuse passwords. But there are services that the state can subscribe to that would alert them to email addresses in their database that have been found in those pwned lists, which would then give DPS or DIR or whoever would have that responsibility the impetus to contact those address owners proactively and tell them to update their password. They could also enforce, or at least offer, a two-factor solution, and there are other proactive steps available as well. DPS/DIR isn’t “responsible” for this, but DPS/DIR absolutely could have done something to prevent or minimize it.

Rep. González’s complaint about the delay in notifying the affected users is addressed in a later Chron story. I drafted this originally Monday night, so I will do a separate post on that. Short answer, there is a legal requirement in Texas to report data breaches, but there is an exception for when there is an active law enforcement investigation, which DPS has invoked here.

Given the upsurge in violence against Asian-Americans, Rep. González also asked if this could be considered a hate crime, which McCraw avoided answering. It may not be possible to tell from what they know right now, but it is possible to try to figure it out. I’m glad DPS is in contact with the FBI and DHS about that, and I hope that leads to some action. I hope the Lege will press DPS and DIR to do better, and to share the results of the investigation when it’s over. The Lege – and the media – should also focus on McCraw’s statement about controls not being in place and demanding to know what is now being done about that. Either we learn from this or we risk having it happen again. The Chron has more.

More on the collegiate TikTok bans

Jan 24th, 2023
by Charles Kuffner.
Comments are off for this post

An interesting perspective from a professor in Texas.

The bans have come in states where governors, like Texas’s Greg Abbott, have blocked TikTok from state-issued computers and phones. Employers can generally exercise control over how employees use the equipment they issue to them. The move to block TikTok on public university networks, however, crosses a line. It represents a different type of government regulation, one that hinders these institutions’ missions.

The bans limit university researchers’ abilities to learn more about TikTok’s powerful algorithm and data-collection efforts, the very problems officials have cited. Professors will struggle to find ways to educate students about the app as well.

Many, as my students suggested, will simply shift from the campus Wi-Fi to their data plans and resume using TikTok on campus. In this regard, the network bans create inequality, allowing those who can afford better data plans more free expression protections, while failing to address the original problem.

Crucially, TikTok isn’t just a place to learn how to do the griddy. It has more than 200 million users in the U.S., and many of them are exercising free-speech rights to protest and communicate ideas about matters of public concern. When the government singles out one app and blocks it on public university networks, it is picking and choosing who can speak and how they do so. The esteem and perceived value of the speech tool should not factor into whether the government can limit access to it.

The Supreme Court has generally found these types of restrictions unconstitutional. Justices struck down a North Carolina law in 2017 that banned registered sex offenders from using social media. They reasoned, “The Court must exercise extreme caution before suggesting that the First Amendment provides scant protection for access to vast networks in that medium.” Years earlier, the court struck down a law that criminalized digital child pornography. It reasoned lawmakers “may not suppress lawful speech as the means to suppress unlawful speech.”

Nearly a century ago, the first instance in which the Supreme Court struck down a law because it conflicted with the First Amendment came in a case that involved a blanket ban by government officials on a single newspaper. The newspaper was a scourge to its community. It printed falsehoods and damaged people’s reputations. Still, justices reasoned the First Amendment generally does not allow the government to block an information outlet because it threatens the “morals, peace, and good order” of the community.

Each of these laws, while put in place by well-meaning government officials, limited protected expression in their efforts to halt dangerous content. The First Amendment, however, generally doesn’t allow government officials to throw the baby out with the bathwater. Any limitation on expression must only address a clearly stated government interest and nothing else.

So, what is the government interest in blocking TikTok? Perhaps the most coherent statement of TikTok’s perceived national-security threat came from FBI Director Chris Wray in December. He emphasized, because of China’s practice of maintaining influence in the workings of private firms who do business in the country, Chinese officials might manipulate the app’s powerful recommendation algorithm in ways that distort the ideas Americans encounter. American TikTok users might see pro-China messages, for example, while negative information might be blocked. He also averred to TikTok’s ability to collect data on users and create access to information on users’ phones.

The University of Texas’s news release from earlier this week parroted these concerns, noting, “TikTok harvests vast amounts of data from its users’ devices—including when, where and how they conduct internet activity—and offers this trove of potentially sensitive information to the Chinese government.”

These are valid concerns, but apps such as Instagram, Twitter, Snapchat, and YouTube also harvest vast amounts of data about users. Their algorithms do far more than simply supply information. Facebook’s and YouTube’s algorithms, for example, have both been found to encourage right-wing extremism. They are, as Wray and Texas’ news release lamented regarding TikTok, distorting the ideas Americans encounter. Why aren’t we blocking them, too? The obvious answer is that none of these companies are owned by a Chinese firm. But can’t firms such as Meta, Twitter, and Google execute the same harms officials have listed from within the U.S.?

See here and here for the background. The author didn’t say where he teaches, but Google suggests he’s a journalism prof at SMU, which has no compunction to follow suit as it’s a private school. The main thing I took away from this is the possibility that someone at one of these schools, or multiple someones aiming for a class action, could file a First Amendment lawsuit to overturn the bans. The distinction between enacting a workplace ban on (basically) company-owned devices and a more general ban at a university seems clear to me. Whether anyone will take this up or not I couldn’t say – filing a federal lawsuit is no small thing. But it could happen, so we’ll keep an eye out for that.

UT bans TikTok on campus WiFi

Jan 18th, 2023
by Charles Kuffner.
4 comments

This feels like a bit of an overreaction to me, but we’ll see if others follow suit.

The University of Texas at Austin has blocked access to the video-sharing app TikTok on its Wi-Fi and wired networks in response to Gov. Greg Abbott’s recent directive requiring all state agencies to remove the app from government-issued devices, according to an email sent to students Tuesday.

“The university is taking these important steps to eliminate risks to information contained in the university’s network and to our critical infrastructure,” UT-Austin technology adviser Jeff Neyland wrote in the email. “As outlined in the governor’s directive, TikTok harvests vast amounts of data from its users’ devices — including when, where and how they conduct internet activity — and offers this trove of potentially sensitive information to the Chinese government.”

[…]

Abbott’s Dec. 7 directive stated that all state agencies must ban employees from downloading or using the app on government-issued devices, including cellphones, laptops and desktops, with exceptions for law enforcement agencies. He also directed the Texas Department of Public Safety and the Texas Department of Information Resources to create a plan to guide state agencies on how to handle the use of TikTok on personal devices, including those that have access to a state employee’s email account or connect to a state agency network. That plan was to be distributed to state agencies by Jan. 15.

Each state agency is expected to create its own policy regarding the use of TikTok on personal devices by Feb. 15.

More than half of states in the U.S. have banned the use of the social media app on government devices in some capacity in recent months, according to a CNN analysis. Across the country, a growing number of universities have banned the app on devices connected to campus networks, including Auburn University in Alabama, the University of Oklahoma and the schools within the University System of Georgia.

The ban could have broad impacts particularly at universities serving college-age students, a key demographic that uses the app. University admissions departments have used it to connect with prospective students, and many athletics departments have used TikTok to promote sporting events and teams. It’s also unclear how the ban will impact faculty who research the app or professors who teach in areas such as communications or public relations, in which TikTok is a heavily used medium.

See here for the background. As the Chron notes, students will still be able to access TikTok off campus, but I’m sure this will cause a whole lot of complaining. It’s not clear to me that this is necessary to comply with Abbott’s previous directive, but I presume UT’s lawyers have given the matter some consideration and I’d take their conclusions over mine. Other big public universities have not yet announced anything, though on my earlier post a commenter who works at a Texas public university said that their school has done something similar. This will be very interesting to see.

There are a couple of big questions here. One is whether the TEA will weigh in on the matter for Texas public schools, or if it will be left up to individual districts. Far as I know, HISD has not taken any such action, and as it happens they have their own TikTok account. The other thing is how this might affect the ability of athletes to make NIL (name, image, likeness) money for themselves. NCAA athletes with a significant social media presence can earn a ton of money for themselves. If this starts to affect recruiting, you can be sure that people will hear about it. Even if the TEA takes action in the public schools, it’s not likely to have much effect since the UIL still bans athletes from making NIL money, but if this really does cause a ripple then anything can happen. Like I said, very much worth keeping an eye on this.

UPDATE: As of later in the day, Texas A&M and TSU have followed suit and implemented similar bans. That certainly lends credence to the “no it wasn’t an overreaction” thesis. UH had not taken any action as of this publication.

UPDATE: The University of North Texas joins in, as do all of the other schools in the UT system.

Abbott bans TikTok on state-issued devices

Dec 9th, 2022
by Charles Kuffner.
1 comment

Honestly, I’m fine with this.

Gov. Greg Abbott announced Wednesday a ban of the popular app TikTok from all government-issued devices.

In a news release, the Republican said the Chinese government could use the app to access critical U.S. infrastructure and information.

“TikTok harvests vast amounts of data from its users’ devices — including when, where, and how they conduct internet activity — and offers this trove of potentially sensitive information to the Chinese government,” Abbott told state agency heads in a letter Wednesday.

TikTok is owned by Chinese company ByteDance.

On Wednesday, Abbott also sent a letter to Lt. Gov. Dan Patrick and Texas House Speaker Dade Phelan telling them “the Executive Branch will stand ready to assist in the codification and implementation of any cybersecurity reforms that may be deemed necessary.”

Abbott’s directive comes the same day as the state of Indiana filed a lawsuit against TikTok.

Indiana Attorney General Todd Rokita, also a Republican, claimed the app exposes minors to mature content and that it has deceived its “users about China’s access to their data,” The New York Times reported Wednesday.

Indiana’s lawsuit is the first against the app filed by a U.S. state. But a growing list of Republican governors have banned the app from government-issued devices. This week, Maryland Gov. Larry Hogan issued his directive and South Carolina Gov. Henry McMaster blocked the app from government electronics. Late last month, South Dakota Gov. Kristi Noem did the same.

From a cybersecurity perspective, there are valid reasons to assess TikTok as a higher-risk application. Indeed, as the story notes, the FBI raised national security concerns about it. It is also not unreasonable to declare that TikTok has limited value in the workplace and thus does not belong on workplace phones and computers. I’d make an exception for people whose jobs make use of social media – if the state of Texas doesn’t have any employees with that kind of job description, they really should – but banning it for others makes sense. One could also reasonably assess it differently – there’s always judgment in these matters. Speaking as someone whose workplace also blocks TikTok, I don’t see this as outside the mainstream.

Of greater interest to me is the note about implementing cybersecurity reforms. Given the recent ransomware attacks on state networks, as well as on various municipal governments, I’d say it’s long overdue. As with anything Greg Abbott says, the devil is in the details and I’ll believe it when I see it, but if this is a serious effort and it comes with the proper allocation of resources, it’s all to the good. The Trib and the Chron have more.

City news release website hacked

Oct 7th, 2022
by Charles Kuffner.
Comments are off for this post

Oops.

Looking for a mail-order Russian bride or wondering how to order a school term paper online? Or maybe you want to improve your slot machine skills by playing online casino games. The city of Houston’s official website for news releases has you covered.

The page on Wednesday morning featured a spate of blog entries on a variety of confounding topics that were decidedly unrelated to City Hall. They were taken down by the afternoon, after the Houston Chronicle inquired about them.

The source of the blog entries, many of which were nonsensical, was unknown Wednesday. Mary Benton, the city’s communications director, said she alerted the information technology department to the posts. The listed author on the articles, a housing department employee named Ashley Lawson, did not actually write and post them, Benton said.

The entries appeared on the city’s news site, cityofhouston.news, a WordPress blog that does not share a domain with the city’s primary website, houstontx.gov.

Christopher Mitchell, the city’s chief information security officer, said no city information was compromised.

“We were recently made aware of improper posts appearing on a blog site utilized by the city to allow individual departments to post departmental content,” Mitchell said in a statement. “The blog site is hosted on a third-party platform and is not connected to any City of Houston enterprise systems. At no point did the city experience a compromise of city systems, data, or information. The origin of the posts was from an active account that was no longer in use, and the city is taking all necessary precautions to correct the issue and prevent a recurrence.”

The posts, often in broken or garbled English, had appeared at least 29 times since Sept. 13, displayed as “uncategorized” entries among more routine posts about police and fire investigations and where to get a flu shot.

Yeah, from a cybersecurity perspective this is (most likely) more of an embarrassment than a breach. It’s a good reminder of why obsolete accounts should be routinely deleted, or at least disabled. There are simple ways to monitor for this kind of activity – even fairly low-tech solutions, like automatically emailing new post notifications to an admin, are worthwhile – and I suspect the city will be doing that in the future. If you have to experience a public cybersecurity failure, there are much worse ways to do so. Please take this relatively painless opportunity to learn from it.

Cybersecurity insurance for TxDOT

Jun 1st, 2021
by Charles Kuffner.
Comments are off for this post

Not an optional thing these days.

Pending final approval from the legislature, the Texas Department of Transportation plans to spend about $100,000 annually on cybersecurity insurance aimed at repaying the state should it incur expenses related to loss of business or recouping costs related to correcting a cyber attack. To buy the insurance, TxDOT needs some minor language changes to state law. HB 3390 by State Rep. Ed Thompson, R-Pearland, would make those adjustments, clearing the way for the transportation agency to buy a policy.

Thompson’s bill passed the Texas Senate on Wednesday and now goes to Gov. Greg Abbott for his signature.

State Sen. Cesar Blanco, D-El Paso, who sponsored an identical bill in the Senate, said the premium on the insurance would cost TxDOT about $100,000 annually.

The insurance comes about a year after the department was the victim of a ransomware attack on its systems that cost about $10 million to correct and prevent future invaders.

“It was pretty bad,” said State Sen. Robert Nichols, chairman of the Senate Transportation Committee.

A number of state agencies, smaller public entities and major businesses in Texas have faced internet assaults, including school districts, the Houston RocketsTexas’ court system and Texas Children’s Hospital.

Neither TxDOT nor its insurance company paid a ransom, officials at the time said, but spent weeks working with consultants and companies, such as AT&T, to identify the issue and install new hardware related to stopping infiltrations. James Bass, TxDOT’s executive director, said analysts believe the breach happened when a contract employee clicked a link disguised as coming from an internal source.

[…]

Bass said the need for the insurance at this time is somewhat confusing, since last year’s attack was covered by insurance. To satisfy bond holders, who lent money for the state to build toll roads, TxDOT purchased cyberattack insurance on its tolling systems about a decade ago. At that time, the insurer allowed TxDOT to add all of its operations free of charge.

Now that the state has been attacked, however, Bass said it likely will need separate insurance, which requires the change in law so TxDOT can use state money — not toll revenue — to pay the premium.

TxDOT is an obvious candidate for needing this kind of insurance, since drivers license data is a lucrative target, but surely they’re not the only state agency that would need it. The Department of State Health Services comes to mind, for example. A better question is what are we doing as a state to better protect these agencies and their data from being ransomed in the first place? Putting my professional hat on for a minute, I can tell you this is a big problem, one that requires a significant and evergreen investment to mitigate against it, and a lot of places are woefully ill-equipped for the fight. And as we saw last year, it’s not just DPS and other state agencies we have to worry about, it’s also the firms they do business with. (It’s also not just hackers, but pure human incompetence that can be at fault as well.) I’m sure there’s plenty the Lege could have done this session to improve things, but they had other priorities.

More on DPS and data protection

Dec 1st, 2020
by Charles Kuffner.
1 comment

A followup from the DMN about that data breach involving every drivers license number you’ve ever had.

Some other states do not sell [drivers’ license] data, but Texas does. State lawmakers could change the law in their 2021 session.

I first reported this in 2015 when I learned that several state government departments sell information to outsiders. In an open records request that year, I learned that in 2014 the Department of Motor Vehicles earned $2.4 million in sales.

This year, CBS 11/KTVT reporter Brian New updated those numbers. DMV made more than $3 million in 2019 selling drivers’ names, addresses, phone numbers, email addresses and VIN information, he reported.

[…]

The buyers are data-mining companies, insurance companies, banks, police departments, car dealers, toll companies, school districts, corporations, private investigators, tax-collecting law firms, tow truck companies and electricity companies, to name a few.

Follow this — the biggest loophole. In Texas, it’s against the law for companies who buy the information to use it to sell to us. So to get around that some companies sell the lists to other marketing companies, which go ahead and use the information to sell — and annoy us.

Because our information isn’t sold directly to marketers, the state doesn’t have to give us a privacy statement when we buy a car or apply for a driver’s license. We don’t get to opt out, as residents of California are now allowed to do.

State lawmakers could fix this, giving us privacy statements and allowing us to opt out of the information sold. Or they could go one better and prohibit the sale of the databases entirely. Other states do.

If you bring this up, state departments other than DMV complain loudly about how these are open records that often can help consumers. (For example, your car is towed, and the towing company can figure out who it belongs to). Besides, selling our data makes a lot of money for the general fund.

One way to see how loosey-goosey Texas is with our information is on the paid subscription lookup site, PublicData.com.

Years ago, there were multiple states listed where you could quickly look up a person’s driver’s license information. Now there’s only Florida and Texas. The other 48 now have higher standards of privacy.

Same goes for vehicle information. Only five states are listed for searching, but four are marked “[OLD].” The fifth is up to date and active. That’s us.

If you get unwanted spam email, postal mail or phone calls and wonder how they got your information, often enough it’s because of our state’s lax laws. Thank you state leaders.

When it comes to cheap and easy data distribution that violates our privacy, we’re number one. Hoo-ray for Texas.

See here for the background. California has a data privacy law that is modeled on the European GDPR scheme. I work with GDPR quite a bit, and it gives people a lot of control over their data while putting some real teeth into enforcement. One of the main ways that GDPR works is that it requires notifications to affected individuals when their personal data is stolen, deleted, or otherwise inappropriately accessed. That’s a lot better than what we have now.

There’s some federal data privacy legislation out there, which largely has the support of the big players like Facebook and Google, which on the one hand means it has a chance to pass but on the other hand means it’s not anything those companies consider to be bad for their business models. I’d rather see something more stringent than that – to me, GDPR is a starting point. We’re not going to get anything like that in Texas, I feel confident saying that. But feel free to call your State Rep and State Senator and tell them that you would like to have the ability to opt out of having your drivers license data sold by DPS. The amount the state takes in for these sales is pennies compared to the state budget. We can very easily do with less of that.

UPDATE: This Slate story about the need for a federal data privacy law is a good read, and addresses the ways we can learn from GDPR for an American version of that law.

DPS needs to do better with data protection

Nov 23rd, 2020
by Charles Kuffner.
2 comments

Oops.

You’ve been hacked. We’ve all been hacked.

No one else has said it, but The Watchdog will. This is likely the largest and one of the more significant data breaches ever to hit Texans.

About 27.7 million Texas driver’s license holders are affected.

If you haven’t heard about this, that’s part of the problem. It’s almost like no one wants you to know.

Why 27.7 million affected licenses when Texas’ total population is around 28 million? Because the number includes former state residents and dead people who were issued licenses before February 2019. So, it includes just about everybody who held a Texas license going back an unknown amount of years. It doesn’t include children.

The Watchdog has the story.

Yes, the information involved here is already available on a paid data site such as PublicData.com, although that site is not always current. But there you have to look up each individual. With this breach, all the information is already bundled and in one place.

What do the crooks have? Your license information (name, address, DL number), the color, model, year and VIN of your vehicle and the lender to whom you make car payments.

I’ll show you how this happened, what crooks can do with the information and how you can be prepared.

The culprit here is a company you probably never heard of — Vertafore of Denver, which, like many companies, buys data from state governments. Vertafore works with the insurance industry to concoct ratings that help agents, brokers and others.

“As a result of human error,” Vertafore says in a news release, “three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization.”

Someone found the information and grabbed the files before Vertafore realized it, the company says.

The FBI and state law enforcement are investigating.

It appears to The Watchdog that although this data breach began in March and continued to August, our Texas Department of Motor Vehicles, which stores vehicle information, and the Texas Department of Public Safety, which handles licenses, probably didn’t know about the hack until recently because their own databases were not compromised.

There’s more and you should read the rest, including the bit about some likely ways that the attacker could use this information. It could have been worse – no Social Security numbers were stolen, apparently – but it’s still not great, and the complete ignorance about the theft by DPS and DMV is not great at all. Putting my cybersecurity hat on for a moment, DPS and DMV need to do a thorough audit of the security policies and processes used by everyone that has access to their data, because those are clear points of vulnerability. It doesn’t matter how sound DPS and DMV’s own security practices are if their business partners are lax.

(This would a fine opportunity for a member of the Legislature to file a bill that mandates minimum standards for third parties that handle personal data, and for the state agencies that do business with them to proactively ensure they are doing it right.)

The other thing DPS and DMV – and any other state agency that handles personal data – need to do is to subscribe to a service that scans the Internet for data of theirs that may have been stolen. (Experian either does this themselves or subscribes to someone who does, which is how they knew about it before it was officially announced.) It’s an article of faith in the cybersecurity world that security incidents and data breaches are going to happen, so a top priority has to be to detect them as quickly as possible so the loss can be minimized and the damage can be remediated. The history of most large scale cyber incidents is that the attackers had been operating inside the victimized firm for months, sometimes more than a year, before their activities were discovered.

There’s not a whole lot more info about this out there – ZDNet and Insurance Journal add a little more, but that’s really about it. I do hope the state demands a full report from Vertafore, and learns lessons from it. Next time it could be more serious than this.