California drivers: did hackers steal your DMV information?

No confirmed breach, but lots of circumstantial evidence of one

Bad news for California drivers: some hackers might have compromised your personal information on file with your state DMV, although they might not have either, since neither the DMV nor any of the (possibly) affected credit card companies can comment one way or the other.

Specifically, bad news for drivers who took care of certain DMV obligations online, rather than in person at physical DMV branches in the state. Security blogger Brian Krebs from Krebs on Security first mentioned the possibility on March 14, noting:

The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV. The alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online.

By March 22, the possibility had grown strong enough that the LA Times let its readers know “California DMV probing possible breach of customer credit cards,” although “officials said the agency had no immediate evidence that its computer system had been hacked.” What the agency (and security bloggers) do have is a lot of compromised credit cards used for charges marked “STATE OF CALIF DMV INT.”

That's actually how a lot of database breaches are discovered. Stealing information from a database is usually quite different from (for example) burgling a physical house; you-the-victim won't notice anything missing, and probably won't even see obvious signs of a break-in. What you do notice, eventually, is a lot of mysterious charges appearing on certain accounts.

For example: earlier this month, Krebs inferred that hackers had stolen information from the Sally Beauty supply company, specifically by noting that a batch of stolen credit-card numbers recently offered for sale in an “underground crime store” all shared one trait in common: they'd all been used to make a Sally Beauty purchase within a certain time window.

Maybe, maybe not

So – assuming there was an online breach at the California DMV, which has not been confirmed – it appears that compromised information will include credit card numbers, plus their expiration dates and the three-digit security codes on the back. It's not known if more sensitive information, such as driver's license and Social Security numbers, was included in the breach if there was a breach at all; on March 24, Krebs updated his original March 14 blog post to say:

“[Card processor] Elavon officials could not be reached for comment. But a spokesperson for Elavon parent firm U.S. Bank told this publication that 'there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue'.”

So, to reiterate: there might have been a recent breach of California DMV credit card transactions, although neither California state officials nor any credit card companies will confirm this, but if you used a credit card to handle a California DMV transaction between Aug. 2, 2013 and Jan. 31, 2014 you really ought to keep an extra-sharp eye out for the possibility of fraud even though nobody has officially confirmed this.