Reports are emerging that 28 million drivers licences have been leaked in a massive data breach originating in Texas after an insurance company connected to the Texas DMV failed to adequately protect the sensitive information.
The insurance company in question, Vertafore had an agreement with the Texas Department of Motor Vehicles – DMV – to access its sensitive database, but was hit by a data breach that saw the information of up to 28 million drivers licences leaked onto a publicly accessible database.
Vertafore has issued a statement saying that the data was stored in an unsecured and potentially misconfigured database, where it was hit by a data breach between March and August, 2020.
Both the DMV and Vertafore have confirmed that drivers licence numbers, names, birthdates and vehicle registration numbers were amongst the most valuable information in the data breach, and impacts any Texan with a drivers licence obtained before February, 2019.
The company said in a statement that “the files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration.”
“They did not contain any Social Security numbers or financial account information,” Vertafore added. “No information misuse has been identified. No customer data or any other data – including partner vendor or other supplier data- or systems hosted for them were impacted. Additionally, no Vertafore system vulnerabilities were identified.”
Vertafore maintains a variety of information security policies, procedures, practices and controls,” the company said. “We continually monitor our networks and systems for unusual activity. Unfortunately, Vertafore, like any other company, is not immune from this type of event.”
Get Your Free Gap Analysis Checklist
Fox26 asked Vertafore why it took months to report the leak of 28 million drivers licences, with the company responding that it reported the data breach to the Texas Office of the Attorney General, the Texas Department of Public Safety and the Texas Department of Motor Vehicles.
The company has said that “Vertafore’s notice was delayed at law enforcement’s request,” and that they had enlisted the help of third-party cyber security firms to investigate the breach, with reportedly no signs of hackers misusing the data that was accessed.
“Immediately upon becoming aware of the issue, Vertafore secured the potentially affected files and has been investigating the event and the extent to which data may have been impacted,” it said in a statement.
James Lee of the Identity Theft Resource Center has told Fox26 that “there’s a lot an identity thief can do with this information. They can try to create a new account and they can try to prove they are you when they’re logging in to an existing account.” may wait to use
He added that “it’s something they may wait to use. So you’re not out of the woods just because a year has passed, two years have passed, three years have passed.” Lee urged those implicated in the data breach to take the necessary steps to secure their personal accounts and lock down their financial records.
“Be very diligent about watching credit card statements and things of that nature,” he said, adding that people should “ultimately consider upgrading some passwords. The advice we give people today is don’t have a password, have a passphrase.”
The Texas Department of Motor Vehicles has issued a statement saying that “the breach of information was caused by Vertafore. The Texas Department of Motor Vehicles was not hacked and was not the cause of the breach. The Texas [DMV] takes protecting consumer information very seriously. The department classifies and protects data based on existing statutory regulations and industry principles, and retains and destroys all data in accordance with state and agency data retention and data sanitization policies.”
It continued to explain that “the department only allows outside use of information for reasons found in Transportation Code Chapter 730 and the Federal Drivers Privacy Protection Act. These laws permit, and at times require, the release of motor vehicle records to authorized parties.”
Vertafore has said in a statement that “these complex investigations take time… we moved quickly and took care and time to be able to obtain and deliver accurate information. We sincerely regret any inconvenience this may cause.”