The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV.
The alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.
Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT”.
A representative from MasterCard, speaking on background, confirmed sending out an alert this week. According to bank sources, Visa has not sent out a similar alert. A Visa spokesperson said “Visa cannot comment on potential third party data compromises or ongoing investigations.”
Contacted about the alerts early Friday afternoon pacific time, California DMV Spokesperson Jessica Gonzalez said the agency would investigate the matter. Reached again at 6:30 p.m. PT (well after DMV business hours on a Friday), Ms. Gonzalez said her office was working late as a result of the inquiry from KrebsOnSecurity. She said the agency was still in the process of getting a statement approved, but that it planned to email the statement later that evening. So far, however, the California DMV has yet to issue a statement or respond to further requests for comment.
Update, 6:44 p.m. ET: The CA DMV just issued the following statement, which placed blame for the incident on the organization’s external card processing firm:
“The Department of Motor Vehicles has been alerted by law enforcement authorities to a potential security issue within its credit card processing services.”
” There is no evidence at this time of a direct breach of the DMV’s computer system. However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”
“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”
The CA DMV did not say who their card processor is, but this document from the California Department of General Services seems to suggest that the processor is Elavon, a company based in Atlanta, Ga. Representatives for Elavon could not be immediately reached for comment [hat tip to @walshman23 for finding this document].
Update, Mar. 24, 10:54 a.m.: Elavon officials could not be reached for comment. But a spokesperson for Elavon parent firm U.S. Bank told this publication that “there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue.”
If indeed the California DMV has suffered a breach of their online payments system, it’s unclear how many card numbers may have been stolen. But the experience of one institution that received the MasterCard alert this week may offer some perspective.
The alert was tailored for individual banks, including a list of the credit and debit card numbers that each bank had potentially exposed. One California bank that received the alert said the notice included a list of more than 1,000 cards that the bank had issued to customers. To put that in perspective, this same bank had just over 3,000 cards impacted by the breach at Target late last year, and that was a break-in that ultimately jeopardized more than 40 million card numbers at banks nationwide.
“We’re seeing two percent of our card base compromised as a result of this, and our cards are 100 percent concentrated here in California,” said a source at the small state bank, who declined to be named because he did not have permission to speak on the record. “That’s still a big number, and it’s a huge exposure window.”
According to the latest statistics released by the California DMV, Californians conducted more than 11.9 million online transactions with the agency in 2012, a 6 percent increase over 2011.
Also unclear is whether the apparent breach affecting the CA DMV may have involved the theft of additional, more sensitive personal information on Californians, such as Drivers License and Social Security numbers, email and physical addresses, phone numbers and other personal data.
Update, 4:05 p.m. ET: Modified the opening paragraph to make it clearer that this is a breach involving online transactions, not at California DMV physical locations (which don’t accept credit cards anyway). Also, the CA DMV has released a Frequently Asked Questions (FAQ) page about this incident.