The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV.
The alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.
Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT”.
A representative from MasterCard, speaking on background, confirmed sending out an alert this week. According to bank sources, Visa has not sent out a similar alert. A Visa spokesperson said “Visa cannot comment on potential third party data compromises or ongoing investigations.”
Contacted about the alerts early Friday afternoon pacific time, California DMV Spokesperson Jessica Gonzalez said the agency would investigate the matter. Reached again at 6:30 p.m. PT (well after DMV business hours on a Friday), Ms. Gonzalez said her office was working late as a result of the inquiry from KrebsOnSecurity. She said the agency was still in the process of getting a statement approved, but that it planned to email the statement later that evening. So far, however, the California DMV has yet to issue a statement or respond to further requests for comment.
Update, 6:44 p.m. ET: The CA DMV just issued the following statement, which placed blame for the incident on the organization’s external card processing firm:
“The Department of Motor Vehicles has been alerted by law enforcement authorities to a potential security issue within its credit card processing services.”
” There is no evidence at this time of a direct breach of the DMV’s computer system. However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”
“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”
The CA DMV did not say who their card processor is, but this document from the California Department of General Services seems to suggest that the processor is Elavon, a company based in Atlanta, Ga. Representatives for Elavon could not be immediately reached for comment [hat tip to @walshman23 for finding this document].
Update, Mar. 24, 10:54 a.m.: Elavon officials could not be reached for comment. But a spokesperson for Elavon parent firm U.S. Bank told this publication that “there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue.”
If indeed the California DMV has suffered a breach of their online payments system, it’s unclear how many card numbers may have been stolen. But the experience of one institution that received the MasterCard alert this week may offer some perspective.