Apparently the general disdain that people stereotypically have for the DMV is shared by the collective Hacker community. Or maybe local governments still haven’t caught up with the cutting edge of cyber crimes, leaving your sensitive credit card information in danger of virtual theft even while you stand in an agonizingly long line just to renew your tags or pass your eye test. Either way, the latest news of a big bad Data Breach isn’t a retailer. It isn’t a video game company. It isn’t even a hotel chain. Nope. It’s the DMV!
Police suggested someone may have breached the credit card processing services at the California Department of Motor Vehicles, according to the DMV’s website.
The agency “has been alerted by law enforcement authorities to a potential security issue,” a DMV spokesman said in a statement. The state DMV advised anyone who has renewed their driver’s license in California using a credit card to keep a close eye on their statements for unusual activity. “There is no evidence at this time of a direct breach of the DMV’s computer system,” the statement said. “However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”
As is usual in these data breach news breaks, it was security blogger Brian Krebs out in front of everyone. Krebs — who broke the story of the blockbuster breach of Target customers’ credit card data last year — cited several financial institutions that received private alerts this week from MasterCard about compromised cards used for charges marked “STATE OF CALIF DMV INT.”
MasterCard said it was aware of and investigating reports of a potential breach involving the DMV. The credit card company could not, however, provide any details on what information may have been compromised or how many cardholders may be affected.
It remains unclear how many people might be affected by a potential DMV breach, but Krebs reported that one bank received a list from MasterCard of more than 1,000 cards that were potentially exposed. Krebs reported that the information stolen included credit card numbers, expiration dates and three-digit security codes printed on the back and that the affected transactions were believed to have been made between Aug 2, 2013, and Jan. 31 of this year.
How Big is that Breach?
Something to keep in mind about this DMV breach is that the data breach is rather mundane when compared to breaches of the past. Last year’s massive Target hack, which dominated headlines, counted a reported 40 million Target customers’ credit and debit card accounts were illegally accessed from Nov. 27 to Dec. 15, while as many as 70 million shoppers may have had their names and home and email addresses stolen over an indeterminate amount of time.
In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month.
In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.
So the 1,000 cards exposed by the Los Angeles DMV is a mere drop in the bucket of the overall data breach saga. That number may be a bit of a low estimate, however, as according to the latest information released by the DMV, more than 11.9 million online transactions were conducted with the agency in 2012, marking a 6% increase from the year before. Online services include transactions such as payment of registration fees and the purchase of specialized license plates. Still no matter what the actual number ends up being, it will fall short of the bigger hacks in cybercrime history.