DMV investigating potential breach in credit card processing

The DMV "has been alerted by law enforcement authorities to a potential security issue," according to a statement. A Los Angeles DMV branch is seen in 2012.
(Luis Sinco / Los Angeles Times)
<i>This post has been updated, as indicated below.</i>

The California Department of Motor Vehicles said Saturday that it was investigating a potential security breach of its credit card processing services, but officials said the agency had no immediate evidence that its computer system had been hacked.

The agency “has been alerted by law enforcement authorities to a potential security issue,” a DMV spokesman said in a statement.

“There is no evidence at this time of a direct breach of the DMV’s computer system,” the statement said. “However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”


The DMV said it was conducting a “forensic review” of its own systems and was consulting with the external vendor that processes its credit card transactions as well as credit card companies. DMV customers were encouraged to monitor their statements and transactions for any unusual activity and immediately report any concerns to their credit card company.

“Protecting the identity and security of our customers is our highest priority and we fully understand the potential impact any breach of security can have,” the DMV said. “The department has implemented heightened monitoring of all DMV website traffic and credit card transactions.”

“We will immediately notify any affected DMV customers as quickly as possible if we find any issue.”

Security blogger Brian Krebs -- who broke the story of the blockbuster breach of Target customers’ credit card data last year -- cited several financial institutions that received private alerts this week from MasterCard about compromised cards used for charges marked “STATE OF CALIF DMV INT.”

MasterCard said it was “aware of and investigating” reports of a potential breach involving the DMV. The credit card company is communicating with its customers, but cannot provide any details on what information may have been compromised or how many cardholders may be affected, said spokesman Seth Eisen.

Eisen urged cardholders to review their account statements and to call the number on the back of their card if there was any unusual activity. He also emphasized that the MasterCard system itself had not been affected.

It remains unclear how many people might be affected by a potential DMV breach, but Krebs reported that one bank received a list from MasterCard of more than 1,000 cards that were potentially exposed.

Krebs reported that the information stolen included credit card numbers, expiration dates and three-digit security codes printed on the back, but that it remained unclear if other sensitive information -- such as driver’s license or Social Security numbers -- was also taken.

The potentially problematic transactions were believed to have been made between Aug 2, 2013, and Jan. 31 of this year, Krebs reported.

[Updated at 8:53 p.m. PDT March 22: A spokeswoman for Visa Inc. said Saturday that she had no comment on the possible breach or the DMV’s response.

“We cannot comment on potential third party data compromises or ongoing investigations,” Sandra Chu said.]

According to the latest information released by the DMV, more than 11.9 million online transactions were conducted with the agency in 2012, marking a 6% increase from the year before. Online services include transactions such as payment of registration fees and the purchase of specialized license plates,

The potential breach comes on the heels of last year’s massive Target hack. Up to 40 million Target customers’ credit and debit card accounts were illegally accessed from Nov. 27 to Dec. 15, while as many as 70 million shoppers may have had their names and home and email addresses stolen over an indeterminate amount of time.

The incident now appears to rank as the nation’s biggest cybercrime against a single retailer.


Man accused of running car over wife’s Chihuahua is charged

2 Riverside teachers put on leave amid 3rd grade student sex scandal

Sheriff candidates support dropping agency’s current civilian monitors