Threatwatch

California drivers face big credit card breach

Stolen credentials

A Georgia-based payment processor for the California Department of Motor Vehicles apparently was victimized by hackers for six months. As of this report, the theft only affects citizens that conducted credit card transactions online.

This week, banks in California and elsewhere received alerts from MasterCard about compromised cards that all had been previously used for California DMV charges.

The alert “stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards,” Krebs reports.

State DMV officials issued the following comment:  

“The Department of Motor Vehicles has been alerted by law enforcement authorities to a potential security issue within its credit card processing services.

“There is no evidence at this time of a direct breach of the DMV’s computer system. However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.

“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”

This document from the California Department of General Services suggests that the external processor is Elavon, a company based in Atlanta.

According to the latest statistics, Californians conducted more than 11.9 million online transactions with the state’s DMV in 2012, a 6 percent increase over 2011.

“Unclear is whether the apparent breach affecting the CA DMV may have involved the theft of additional, more sensitive personal information on Californians, such as Drivers License and Social Security numbers, email and physical addresses, phone numbers and other personal data,” Krebs writes.  

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves. 

sector

Financial Services; Government (U.S.)

reported

March 22, 2014

reported by

Krebs on Security

number affected

Unknown

location of breach

United States

perpetrators

Unknown

location of perpetrators

Unknown

date breach occurred

Aug. 2, 2013 to Jan. 31, 2014

date breach detected

March 2014