Off the Kuff Rotating Header Image

Vertafore

More on DPS and data protection

A followup from the DMN about that data breach involving every drivers license number you’ve ever had.

Some other states do not sell [drivers’ license] data, but Texas does. State lawmakers could change the law in their 2021 session.

I first reported this in 2015 when I learned that several state government departments sell information to outsiders. In an open records request that year, I learned that in 2014 the Department of Motor Vehicles earned $2.4 million in sales.

This year, CBS 11/KTVT reporter Brian New updated those numbers. DMV made more than $3 million in 2019 selling drivers’ names, addresses, phone numbers, email addresses and VIN information, he reported.

[…]

The buyers are data-mining companies, insurance companies, banks, police departments, car dealers, toll companies, school districts, corporations, private investigators, tax-collecting law firms, tow truck companies and electricity companies, to name a few.

Follow this — the biggest loophole. In Texas, it’s against the law for companies who buy the information to use it to sell to us. So to get around that some companies sell the lists to other marketing companies, which go ahead and use the information to sell — and annoy us.

Because our information isn’t sold directly to marketers, the state doesn’t have to give us a privacy statement when we buy a car or apply for a driver’s license. We don’t get to opt out, as residents of California are now allowed to do.

State lawmakers could fix this, giving us privacy statements and allowing us to opt out of the information sold. Or they could go one better and prohibit the sale of the databases entirely. Other states do.

If you bring this up, state departments other than DMV complain loudly about how these are open records that often can help consumers. (For example, your car is towed, and the towing company can figure out who it belongs to). Besides, selling our data makes a lot of money for the general fund.

One way to see how loosey-goosey Texas is with our information is on the paid subscription lookup site, PublicData.com.

Years ago, there were multiple states listed where you could quickly look up a person’s driver’s license information. Now there’s only Florida and Texas. The other 48 now have higher standards of privacy.

Same goes for vehicle information. Only five states are listed for searching, but four are marked “[OLD].” The fifth is up to date and active. That’s us.

If you get unwanted spam email, postal mail or phone calls and wonder how they got your information, often enough it’s because of our state’s lax laws. Thank you state leaders.

When it comes to cheap and easy data distribution that violates our privacy, we’re number one. Hoo-ray for Texas.

See here for the background. California has a data privacy law that is modeled on the European GDPR scheme. I work with GDPR quite a bit, and it gives people a lot of control over their data while putting some real teeth into enforcement. One of the main ways that GDPR works is that it requires notifications to affected individuals when their personal data is stolen, deleted, or otherwise inappropriately accessed. That’s a lot better than what we have now.

There’s some federal data privacy legislation out there, which largely has the support of the big players like Facebook and Google, which on the one hand means it has a chance to pass but on the other hand means it’s not anything those companies consider to be bad for their business models. I’d rather see something more stringent than that – to me, GDPR is a starting point. We’re not going to get anything like that in Texas, I feel confident saying that. But feel free to call your State Rep and State Senator and tell them that you would like to have the ability to opt out of having your drivers license data sold by DPS. The amount the state takes in for these sales is pennies compared to the state budget. We can very easily do with less of that.

UPDATE: This Slate story about the need for a federal data privacy law is a good read, and addresses the ways we can learn from GDPR for an American version of that law.

DPS needs to do better with data protection

Oops.

You’ve been hacked. We’ve all been hacked.

No one else has said it, but The Watchdog will. This is likely the largest and one of the more significant data breaches ever to hit Texans.

About 27.7 million Texas driver’s license holders are affected.

If you haven’t heard about this, that’s part of the problem. It’s almost like no one wants you to know.

Why 27.7 million affected licenses when Texas’ total population is around 28 million? Because the number includes former state residents and dead people who were issued licenses before February 2019. So, it includes just about everybody who held a Texas license going back an unknown amount of years. It doesn’t include children.

The Watchdog has the story.

Yes, the information involved here is already available on a paid data site such as PublicData.com, although that site is not always current. But there you have to look up each individual. With this breach, all the information is already bundled and in one place.

What do the crooks have? Your license information (name, address, DL number), the color, model, year and VIN of your vehicle and the lender to whom you make car payments.

I’ll show you how this happened, what crooks can do with the information and how you can be prepared.

The culprit here is a company you probably never heard of — Vertafore of Denver, which, like many companies, buys data from state governments. Vertafore works with the insurance industry to concoct ratings that help agents, brokers and others.

“As a result of human error,” Vertafore says in a news release, “three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization.”

Someone found the information and grabbed the files before Vertafore realized it, the company says.

The FBI and state law enforcement are investigating.

It appears to The Watchdog that although this data breach began in March and continued to August, our Texas Department of Motor Vehicles, which stores vehicle information, and the Texas Department of Public Safety, which handles licenses, probably didn’t know about the hack until recently because their own databases were not compromised.

There’s more and you should read the rest, including the bit about some likely ways that the attacker could use this information. It could have been worse – no Social Security numbers were stolen, apparently – but it’s still not great, and the complete ignorance about the theft by DPS and DMV is not great at all. Putting my cybersecurity hat on for a moment, DPS and DMV need to do a thorough audit of the security policies and processes used by everyone that has access to their data, because those are clear points of vulnerability. It doesn’t matter how sound DPS and DMV’s own security practices are if their business partners are lax.

(This would a fine opportunity for a member of the Legislature to file a bill that mandates minimum standards for third parties that handle personal data, and for the state agencies that do business with them to proactively ensure they are doing it right.)

The other thing DPS and DMV – and any other state agency that handles personal data – need to do is to subscribe to a service that scans the Internet for data of theirs that may have been stolen. (Experian either does this themselves or subscribes to someone who does, which is how they knew about it before it was officially announced.) It’s an article of faith in the cybersecurity world that security incidents and data breaches are going to happen, so a top priority has to be to detect them as quickly as possible so the loss can be minimized and the damage can be remediated. The history of most large scale cyber incidents is that the attackers had been operating inside the victimized firm for months, sometimes more than a year, before their activities were discovered.

There’s not a whole lot more info about this out there – ZDNet and Insurance Journal add a little more, but that’s really about it. I do hope the state demands a full report from Vertafore, and learns lessons from it. Next time it could be more serious than this.