- California’s state DMV has warned that more than a year’s worth of information about residents may have been compromised in a third-party data breach.
- An investigation is underway to determine if that’s the case. A financial services firm that contracts with the DMV is what actually fell victim to a ransomware attack.
- Unfortunately, that firm also does business with many other public entities, such as the city of Seattle.
We’re only mid-way through the second month of 2021, and already the data breaches are mounting. Following the disclosure we mentioned in recent days, of what may be the largest-ever publication of hacked user credentials posted to the internet, now comes word that California state residents may have had their personal data stolen via a cyberattack on a vendor associated with the California Department of Motor Vehicles.
According to a new warning from the state’s DMV, more than a year’s worth of customer data that includes license plate numbers and individual addresses may have been compromised via the data breach. The breach targeted Automatic Funds Transfer Services, a financial services and data management company that contracts for services with California’s DMV, which the DMV uses to verify car owners’ change of address. The key phrase here, though, is “may have been compromised.”
“DMV systems have not been compromised and it is unknown if DMV data shared with the company has been compromised,” the California agency said in its disclosure of the incident. “An investigation is under way.”
Automatic Funds Transfer Services was apparently the victim of a ransomware attack earlier this month that, per the DMV, might have compromised “the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers (VIN).” Not surprisingly, the DMV says it stopped all data transfers to AFTS and notified law enforcement, including the FBI.
As of the time of this writing on Friday morning, AFTS displays the following error message when you try to visit its webpage: “The website for AFTS and all related payment processing (websites) are unavailable due to technical issues. We are working on restoring them as quickly as possible.”
What’s even more ominous about this data breach is that it might be much larger than what’s been reported, since AFTS actually contracts with many city entities, like in Seattle — which said a few days ago after learning of the AFTS incident that “City departments use this vendor for commercial billing, printing, and mailing services. Seattle Information Technology Department leads, including security and privacy teams, are working with AFTS, affected departments and the City Attorney’s office to understand the potential impact of this incident on personal information.”