The Department of Motor Vehicles (DMV) in California may have suffered a widespread
breach, leaving millions of online customers open to credit card fraud. Despite a lack of evidence, police and the DMV have warned that a breach may have occurred and “out of an abundance of caution," the DMV has opened an investigation.
Security blogger Brian Krebs first reported on the issue and provided evidence from multiple banks that had received alerts from MasterCard. Even though the alert did not state where the breach occurred, subsequent information from the DMV has revealed what may have happened. While not providing extensive details about the breach, the agency said it had not yet found evidence to suggest that its computer system had been hacked.
As of March 21, the DMV still did not know if the breach affected its payment processor or the actual credit card companies. Both of those scenarios take the blame away from the DMV, even though there is still no public evidence to suggest that its system was not compromised. “In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves,” the California DMV said in a statement.
Conservative estimates that are based on public DMV data suggest that if the breach did occur, there are millions of potential victims. Recent attacks, like the one against Target at the end of last year that compromised the credit and debit card data of some 70 million customers are much larger than the possible DMV breach. However, the DMV’s own statistics reveal that many of its payments come from online transactions, which are at the center of the investigation.
In 2012, there were nearly 12 million online transactions covering license renewals, ID renewals, vehicle registrations, etc. Based upon those numbers, there is an average of 1 million payments each month. The original MasterCard alert warned that transactions between August 2013 and January 2014 were potentially compromised, meaning that as many as 6 million payments could be at risk.
A String Of Attacks
The potential California DMV breach is unique in that it would have affected a government-run institution, but credit card fraud as a result of security breaches is not uncommon. The Target hack has brought these security breaches into the public spectrum.
We asked Charles King, principal analyst at Pund-IT, for his opinion on the recent string of security breaches that have left millions of credit cards open to fraud. He told us that businesses -- both private and public -- use systems that have many potential weak points and trying to patch all of them is a difficult job.
“It isn’t that these systems are essentially incapable of being secured so much as it is that there are so many potential points of intrusion and breakdown,” King said. “The solutions to these problems aren’t cheap or simple but businesses can afford themselves greater by building security into systems and processes from the very beginning, not by bolting on inadequate solutions after the fact."