You’ve been hacked. We’ve all been hacked.
No one else has said it, but The Watchdog will. This is likely the largest and one of the more significant data breaches ever to hit Texans.
About 27.7 million Texas driver’s license holders are affected.
If you haven’t heard about this, that’s part of the problem. It’s almost like no one wants you to know.
Why 27.7 million affected licenses when Texas’ total population is around 28 million? Because the number includes former state residents and dead people who were issued licenses before February 2019. So, it includes just about everybody who held a Texas license going back an unknown amount of years. It doesn’t include children.
The Watchdog has the story.
Yes, the information involved here is already available on a paid data site such as PublicData.com, although that site is not always current. But there you have to look up each individual. With this breach, all the information is already bundled and in one place.
What do the crooks have? Your license information (name, address, DL number), the color, model, year and VIN of your vehicle and the lender to whom you make car payments.
I’ll show you how this happened, what crooks can do with the information and how you can be prepared.
The culprit here is a company you probably never heard of — Vertafore of Denver, which, like many companies, buys data from state governments. Vertafore works with the insurance industry to concoct ratings that help agents, brokers and others.
“As a result of human error,” Vertafore says in a news release, “three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization.”
Someone found the information and grabbed the files before Vertafore realized it, the company says.
The FBI and state law enforcement are investigating.
It appears to The Watchdog that although this data breach began in March and continued to August, our Texas Department of Motor Vehicles, which stores vehicle information, and the Texas Department of Public Safety, which handles licenses, probably didn’t know about the hack until recently because their own databases were not compromised.
There’s more and you should read the rest, including the bit about some likely ways that the attacker could use this information. It could have been worse – no Social Security numbers were stolen, apparently – but it’s still not great, and the complete ignorance about the theft by DPS and DMV is not great at all. Putting my cybersecurity hat on for a moment, DPS and DMV need to do a thorough audit of the security policies and processes used by everyone that has access to their data, because those are clear points of vulnerability. It doesn’t matter how sound DPS and DMV’s own security practices are if their business partners are lax.
(This would a fine opportunity for a member of the Legislature to file a bill that mandates minimum standards for third parties that handle personal data, and for the state agencies that do business with them to proactively ensure they are doing it right.)
The other thing DPS and DMV – and any other state agency that handles personal data – need to do is to subscribe to a service that scans the Internet for data of theirs that may have been stolen. (Experian either does this themselves or subscribes to someone who does, which is how they knew about it before it was officially announced.) It’s an article of faith in the cybersecurity world that security incidents and data breaches are going to happen, so a top priority has to be to detect them as quickly as possible so the loss can be minimized and the damage can be remediated. The history of most large scale cyber incidents is that the attackers had been operating inside the victimized firm for months, sometimes more than a year, before their activities were discovered.
There’s not a whole lot more info about this out there – ZDNet and Insurance Journal add a little more, but that’s really about it. I do hope the state demands a full report from Vertafore, and learns lessons from it. Next time it could be more serious than this.