"The breach of information was caused by Vertafore. The Texas Department of Motor Vehicles was not hacked and was not the cause of the breach."
I appreciate that the Texas DMV wasn't the direct cause of this breach, but they can't completely pass the buck to Vertafore. At the very least, I would think they need to issue 28 million new licenses with new license numbers and invalidate the old ones. And, since this is likely to be an expensive and time consuming process, they should probably sue Vertafore to make them pay for it.
And while they're at it, they should probably make sure that Vertafore is never allowed to access this data again.
Realistically, none of this will happen, the compromised DL #s will remain valid in perpetuity (I just had someone tell me they moved out of Texas for 5 years and were issued the same DL # when they moved back), and Vertafore won't even be fined.
It's ridiculous that the DMV is passing the buck at all on this. The DMV are the originators of the data. It is their responsibility to make sure that any third party who has access to this data has the appropriate security in place to protect that data.
This isn't some far-fetched premise, either. "Third Party Risk Management" is a basic part of pretty much every cyber security framework I can think of. It is even part of the NIST CSF, which every government entity in the US is supposed to be following.
Vertafore's failure is the DMV's failure, and heads should roll at the DMV.
It's also a little ridiculous that this information is still valuable from a fraud perspective. It's completely possible to run as SmartId/Card system (similar to the Estonian national id / e-residency).
So long as just knowing some of these details has value like getting fraudulent credit cards the problem will exist, and criminals will find ways of accessing the data.
Now granted, stuff like the home address is always going to be valuable, but less so if its not as useful for identity theft.
> It's completely possible to run as SmartId/Card system (similar to the Estonian national id / e-residency).
That’s not necessarily a good example of doing it well. Unless something changed since I last looked, after the Estonian certs were all found vulnerable, allowing impersonation and forged signatures on official government documents, the government refused to reissue new certs to citizens.
In other words, they were effectively in the same place as Texas.
I don't think that is accurate. The rollout took time but ultimately disabled certificates that weren't updated. It also didn't lead to major attacks as weak keys still needed to each be exploited.
Sending 3rd parties perfect copies of private data of your citizens to run a credit scheme is a different place.
Exactly. Who on earth could expect that they just copy the entire database to a minor insurance company? The data will always be incomplete, out of date and insecure. Not providing a proper query service to all the insurances is a major fault, and the responsible people should be fired immediately.
Basically, this is the structure that the GDPR mandates: the data controller (entity that processes data on behalf of the customer) is liable for data security breaches, regardless of whether the breach occurred at themselves or a third-party data processor.
Eventual fines will also be shared by them, and the ratio will depend on how diligent the controller was in selecting and auditing their data processor(s). Exactly because it's too easy to outsource your exposure risk along with your customers' data.
DMV can't afford the kind of external auditing that would've caught this. Not with their current budget. Setting aside taxes etc, what do you propose a public service organization should do in these situations other than trust a company to do what they're saying?
edit: removed a statement distracting from the two questions.
Why should we set aside taxes? Texas is allergic to taxes and the state government loves to keep itself running on a shoestring budget, but as we can see here, that's just robbing Peter to pay Paul. Adequate funding to run a proper audit and risk management program is definitely the way to go.
Yeah it might be distracting from the two questions I did ask. I'll remove the statement because it seems to ruffle some political feathers.
It wasn't intended politically, but rather to say the tax situation is a known quantity already which is why the second question asked to set that aside before answering.
If lenders are held liable for Equifax/TransUnion/etc breaches, they will stop sharing information about debtors, leading to more expensive credit/a freezing of consumer lending.
It wasn’t so long ago that credit card companies would just send out cards to everyone in a postal code, the idea was you had to return it if you didn’t want it, or they assumed you did and charged you the annual fee. Or you accept the fee and start using the card. It took an act of congress to stop them from doing that.
Around that same time the credit card companies were also getting a lot of flack for issuing cards to newborns, pets, and the deceased. That also took an act of congress to stop.
The US credit agencies themselves are only a few decades old, people have been borrowing and lending for a bit longer then that - you can read about it in the Old Testament.
On the contrary, this year credit scores have been rising and interest rates falling despite borrowers, in reality, being at a greater risk of default today than maybe any other time since 2008.
Maybe the real service provided by the credit data sharing is how data is used almost everywhere in reality: marketing?
I suspect their basic service is to outsource responsibility.
If each lender does their own due diligence and risk ranking, any lender that has an above average failure rate will take a lot of flack from their investors and regulators.
If they say "We use the same scoring formulas and credit files as everyone else", they can push the blame back to the bureaus.
> (I just had someone tell me they moved out of Texas for 5 years and were issued the same DL # when they moved...
California too, one keeps the same number for whole life, all between ID, License, Commercial & anything in between. The only way to change it by religious objection to the number like 666 or 999 or such; or if somehow DMV issued same number to two persons; which has happened in past long ago.
My wife and left Texas in 2013, moved back about 18 months later in 2014. They told us we couldn't renew/update our licenses and had to get new ones (both would have not expired yet). When we recevied the "new" ones, the numbers and expiration dates were the same.
Texas is by far the worst state I've lived in for getting your drivers license and vehicle registrations.
Passing the hot potato is incident management 101 for organizations processing personal data with an external service. This happens to public / state agencies of many countries every now and then. Many of these incidents seem to be caused by systems allowing weak passwords.
It is a big part of the reason that service providers and consultants exist and command the fees that they do. They are implicitly signing up to be the fall guy if the project doesn't go well.
>He says drivers should freeze their credit and change their account passwords.
As in, all 28 million drivers?
28 million people dealing with this level of inconvenience is astounding, and a clear-cut example of why the penalties for data leaks need to... well, at least start existing, by one means or another. Also worth noting I don't see SSNs, CC info, or any passwords included, so this just seems to be a standard thing people say regardless.
I started with this thought half-jokingly, but now I think I'm serious:
Every single SS# needs to be made public, along with the assigned name. Not just known-breached, but somewhere where it's obvious that anyone could look it up as easily as looking up a phone number or mailing address. Somewhere so public that everyone else knows that they're no longer "secret."
Using Social Security numbers as some sort of proof you're who you say you are is batshit crazy these days. But we all pretend that it's still secure somehow. If there was an embarrassingly public list of all SS#s, then banks would be forced to improve their vetting of applicants.
At the same time, the onus needs to be on a financial institution to prove that I opened an account. If I discover a line of credit in my name, all I should need to do is disavow it, and make the lender prove that I was the one who authorized it.
Yes, this will increase the cost of doing business. But that increased cost is already here, just born randomly and disproportionately by the victims of "identity theft."
Want to issue a credit card with a $15,000 limit? Have the applicant walk into a branch, provide a thumbprint take their picture. Or get them on a video call standing in front of their house, attesting that they're the person they say they are. Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
A piece of paper or online form with the magic numbers is just not enough.
> Or if you think that's too inconvenient you can take on all the risk if the borrow later disavows the debt.
They are already required by law to assume the risk for fraudulent charges. It's just a mess and hassle for consumers.
It's like leaving packages on doorsteps without signatures. Apparently they just make more money eating the occasional fraud losses than the price of doing something safer.
I’m not talking about fraudulent charges, but entire accounts. Credit cards and car loans opened using someone else’s identity. When that happens today, the victim can spend years trying to unravel the mess and repair their credit files.
In my case, a phone line for a ‘drug dealer’ that was eventually tapped by law enforcement. The phone company tried to stick me with 3k$ in fees. Initially, the only correct information on the account was my address — they had verified nothing else.
I have said for a long time that SS numbers, birthdates, mother's maiden name, place of birth, date of marriage, street you lived on 10 years ago, all the standard "secret" info should be presumed public if not in fact made public. None of that is hard enough to dig up that it should be relied upon to prove identity.
ever since the pandemic started, at work we've had a a chat channel for "socializing" with each other. One day someone posted a topic. Something like, "Tell us about where you grew up". And the head of security immediately replied and said, "let's talk about something that isn't a common security question".
I admit that I think that was 100% unnecessary, expecially in this situation, to put the kibosh on the conversation. But it made me realize how insane it is that something that is a common "get to know you" type question (tell me about where you grew up? (street, school etc) Tell me about your parents? (maiden name)) are also a common "security" questions.
Also, side note. I NEVER use real answers to those questions. I treat it as an extra password and store it securely that way. No way I'm going to turn my mother's maiden name (easily searchable if you know my full name) into a password!
Whenever I am forced to do surveillance based "authentication" (where they ask you all those questions about your past), I pretend to forget everything I know about my own life and just answer the questions using web searches (eg what city is some popular street in). I reckon this is a good way to avoid confirming any data that they only half know. So far I have not failed to "verify" using this technique.
The penalty for mishandling mandatory/essential data like social sec numbers, medical and driving records should be much much higher than just normal PII data. It’s not like I can opt out of having a social security number. It’s forced on us and then we can get completely screwed over if someone we didn’t even know had the info allows it to be breached. Also this nonsense about allowing government contractors in and out of information critical systems like that needs to go away. It’s only done because they can’t attract talent with competitive government wages.
I don’t agree. We need certifications for people who handle the data and better training. We should also require basic things like hashing passwords and having clouds where it is much harder to put data in public buckets.
All it takes is one junior employee to make a mistake one day copying a file.
So annoying. This silly insurance software company can just cover their trivial costs from the breach with insurance. It needs to be more expensive to allow a breach than to ignore security. Thank you Vertafore. Maybe we should all stop by your office and thank you in person - oh, you’re not anywhere near Texas! What a lovely mission statement you have:
It’s our mission to provide exceptional service and powerful insurance technology so you can focus on what matters to you – people.
Let's see: 10k/record x 28M = $28e11 or 2800 bn. Quite a bit more that Finland's GDP in 2019. That kind of debt amounts to a corporate death sentence if ever enforced. Too bad it's only for medical records.
The wave of Medicare and identity fraud that follows will cost billions. I have family in other states that can’t draw unemployment because someone is already drawing it for them because of state breaches like this. It’s going to be an absolute disaster.
> Drivers can contact Vertafore to see if their information was hacked by calling 888-479-3560.
We have to call you to find out if you leaked our information? That's some idiotic logic right there. I didn't call you to put my information in your systems, I shouldn't have to call you to find out if you lost it.
> "The department only allows outside use of information for reasons found in Transportation Code Chapter 730 and the Federal Drivers Privacy Protection Act. These laws permit, and at times require, the release of motor vehicle records to authorized parties."
Texas should pass a law requiring any companies who become 'authorized parties' to proactively respond in case of a breach by sending registered letters to everyone affected, telling them how to sign up for the credit monitoring they're entitled to.
DMVs sell just about everything, using fairly standardized contract models that the association of DMVs coordinates,
In some states, it’s illegal for DMV to give other agencies, say a tax department, most information, so the other entity buys the data from a broker. Similar to the contracts with companies like LexisNexis and Thompson where the government needs to pay for a subscription to access its own laws.
Someone didn't read the article. To be honest however one shouldn't have to read an article for common sense.
>Driver's license numbers, names, birthdates, addresses, and vehicle registration information were stolen for nearly 28 million Texas drivers who received a license before February of 2019.
"There's a lot an identity thief can do with this information. They can try to create a new account and they can try to prove they are you when they're logging in to an existing account," said James Lee with the Identity Theft Resource Center.<
No idea about you, but I don't make any of that info public.
What I want has nothing to do with it. They got my data without my input or approval and lost said info. The onus to make this right is on them, thus the recommendation to freeze credit and one free year of credit monitoring.
Did you say the same for the equifax breach?
You thinking the information being public, complete and in a searchable format is nothing big doesn't lessen the very real impacton literally millions of people.
It has everything to do with it because you are imagining a harm that doesn’t exist. Then you complaining about it with your head in the sand. I say this as somebody who lives in Texas, a supposed victim.
> Vertafore says the company has known about the breach since mid-August. So we asked why they're just now announcing it.
> The company says they reported it to the Texas Office of the Attorney General, the Texas Department of Motor Vehicles, and the Texas Department of Public Safety and wrote, "Vertafore’s notice was delayed at law enforcement’s request."
Hard not to see this as purposefully delayed until after the election.
No one in the Texas election had any connection to the state DMV. It was either federal positions or local elections, but nothing with a material connection in state offices.
I think it would make people upset with whoever is perceived to be incumbent leadership that this “would be allowed to happen.”
Whether the assignment on existing representation is logical is a fair question. But this would be far from the most irrational sentiment from voting people these days.
I’ll stake out this was purposefully repressed for political reasons. On surface it suggests weakness in oversight by the state. And lack of privacy protection oversight posture by prevailing party doesn’t help either.
"He says drivers should freeze their credit and change their account passwords."
Why would I want to change passwords? Either he doesn't know what he's talking about, or breach is worse than reported, e.g. DMV website passwords were stolen and they were stored without salting/hashing.
Texas spreads their drivers license info far and wide. I worked at an online traffic school for traffic tickets that is licensed in Texas and part of the requirements is that you have to buy, update monthly and store all 28 million drivers license info on your system to make identity questions out of.
So if you signup, an example identity question might be what are the color of your eyes, or weight, or your zip code, and so on.
They deliver these files on a ftp server with a zip file.
On top of that you have to create identity questions out of the cars the person owns but it is not a downloadable file you have to scrape the contents of an online site you buy access to which gives you access to every car the person owns.
Lastly, to complete clearing their ticket in Texas they have to have a certified copy of the driving record from the DMV. I would login as them using a script, purchase, then mark-up from $15 to $25, a pdf.
Driver's license numbers, names, birthdates, addresses, and vehicle registration information were stolen for nearly 28 million Texas drivers who received a license before February of 2019.
Wait a minute. Isn't this all public data? In fact you have been able to pay to access all of that data through a company called Public Data since the 90s. So what exactly is the new risk here? https://login.publicdata.com/
It's also a bit absurd that the victim count is 28M. The total population of Texas is 28M, which includes small children who aren't drivers.
This is all public info. You can scan & decode the PDF417 barcode on your state issued identification to see exactly what data is available. Most jurisdictions conform to the AAMVA standard for this.
The maximum small claims penalty in Texas is $20,000 and while that amount may be aspirational, Roper Technologies has just purchased Vertafore for 5.35 billion USD[0] so it would only take a per capita penalty of $191 to match the purchase price and make the acquisition a truly expensive and foolhardy decision. Roper Technologies booked 3.2 billion USD revenue in 2020[1].
[0]https://www.barrons.com/articles/roper-technologies-is-buyin...
[1]https://www.ropertech.com/
Incidentally, S3 GUI in AWS web console recently changed to be much more foolproof—even if bucket as a whole is set up to be public, each time one uploads files into it they seemingly default to non-public visibility which requires at least two clicks to override, one of which a la “I understand the danger”. (Although, of course, uploads via CLI or API work as usual.)
Or make “identity theft” a problem for the banks and institutions that want to use digitally entered 9 digits and birthdate as some sort of authentication.
If a bank or whoever gets defrauded by someone claiming they are someone else, that should be the bank’s problem. Everyone has a smartphone today with a video camera and data. Why is a video of you giving a thumbs up and announcing your authorization for entity X to borrrow or purchase with Y dollars not the standard?
I sold a home/closed through notarize.com and was very impressed by their solution. This should be mandatory to open any type of credit account, witnessed and videoed thumbs up as a service could totally be a thing
Every once in a while I will call up my financial institutions and try to get them to do some arbitrary transaction I could have done online but just to see what minimum amount of info I have to provide them to get them to actually move my money around. It’s kind of horrifying. The social and the bank account number is usually all that is needed. That is the reason I refuse to use a small credit union over a large bank. Credit union staff tend to be more trusting and less informed on average regarding when to be suspicious than the call centers for A larger institution
You just gave me something to think about. I've been with the same small CU for 20 years. They're really small. Twice now I've needed to wire money, and when I called, I was told something like, "Maggie is on her lunch break right now, but she'll be back at her desk in 20 minutes. She'll call you to verify the details."
It's a running joke whenever I have to wire money: "Make sure Madge is working today!"
I liked that quaint feel, but I suppose Steally McThief would also appreciate it...
These magic numbers should get neutered, considered compromised from the start, and then we build a system based on that assumption. We could use a GPG like system with certificates and expiration. A creditor produces my ciphertext signed before a revocation, or they can't even file it against my credit, which will take the same for verification to mark against my credit, and dismissing such claims by a creditor is trivial and automated. You dispute a transaction, and they produce your signature, or else it simply disappears. No court trials, nothing.
It could get complicated, like mandatory checking of centralized revocation lists, which the creditor would also need proof of, etc. But it could be worked out by smart people, and even run by the government gasp. If a hacker gets the information, wow, they've got your public keys, and then upon discovering the breach, all the certs get revoked.
I agree about the "dumb magic numbers" but I don't think any digital system is the answer in the short term. Look at the complete disaster with ransomware, cryptolocking of databases shutting down or severely hampering businesses and health care orgs, the disclosures of data from organizations at every level of size and presumed technical sophistication, credit cards skimmed at will at ATMs, retailers, and online. It's a house of cards built on sand. Is the worst that can happen is the disclosure of public keys? What about the undetected exfiltration of the private keys that are used to issue everyone's certificates? Or the the random disabling/ransoming of the verfication infrastructure leaving nobody able to transact any business?
I don't think we're close to being able to pull it off at anything approaching scale. It's not just a technical problem, hard as that is by itself, it's also a political problem, and a public trust problem. Right now, half the country would reject it based simply on which party is in power. "It could get complicated" indeed. I think we are a decade at least, maybe a generation away.
I think such a system could be made convenient. And if the alternative is not legally binding, like, if they want to use magic numbers and paper and you give them the number and sign with ink and they give you money then come to collect, and all you have to say is "show me the digital signature", and they produce it or by law they have no claim, it'll get figured out and convenient.
The title should be “all driver licenses data in Texas”. Texas population is close to that number. It is not limited to that one insurance provider. They had a copy of the data for entire state!
They hide behind lawyers and don't use complex passwords for admin accounts. Nor do they do security updates in a timely fashion. If one admin runs an attachment in email that exploits the system, they got a trojan back door into the server and can do whatever Admin does.
At this point in 2020 there must have been over 1000 data breaches, often times containing (and reaffairming) the same data such as a person's address (and in data breaches, we can track that same persons data across time, which can be useful).
You can't have a globally connected society, data storage in the billions of records, and a 'right to privacy' at the same time. It's not possible, these breaches just reaffirm that.
How long before the next data leak pops up on HN again?
Privacy died after 2001, and there's nothing to prove otherwise.
"Someone did something unethical, and we can probably benefit from it.
And since people will probably do the unethical thing again, and the system which enabled people to do the unethical thing isn't perfect, we don't even really need to worry about whether using that to our benefit is unethical.
In fact, it's been years since we really needed to worry about that sort of thing anyway.
Isn't it just easier to ignore our personal responsibility to try to do the right thing in this situation?"
I think this was mentioned elsewhere, but this is different from many other cases.
In this case, you cannot choose to opt out, not if you wish to drive. Further, this isn't just ID, but a whole range of info around that ID.
As example, by law in my jurisdiction, I am legally obliged to keep medical info, address, and other info up to date for my license.
I believe breaches of government ID must be held to a far higher standard than a lost credit card. IMO equifax goes into that slot, for it falls into the "cannot escape" category.
As an example, I have never used airbnb, due to their mandatory ID requirements, regardless of their claims uploaded ID is deleted after vetting. After all, Equifax's compromise went on for almost a year, and in such a case each upload, waiting to be vetted, could be copied before deletion.
So I use alternative services, like VRBO, or Craigslist even. I have choice, options, and am not compelled by law to use any of these services.
As soon as I am compelled, by the threat of violence (arrest, etc) to do a thing, you'd better perform the utmost in due diligence.
And maybe, not give entire databases to others, for profit?
Vertafore is not the only company in Texas with this data. Other large Texas companies have it and it’s stored in the clear. I’ve seen it with my own eyes.
I don't understand.. drivers licenses dob and all of this info is already public record in many states. Why is this so alarmist? Most states have searchable court records, so if you ever so much as had a speeding ticket it will usually have DL, license plate #, name, address, violation details, and a ton of other info as part of public record.
It is public info in Texas, just a pain in the butt to get. The “easiest” way is to pay for a DVD; less easy is to pay in bulk for records downloads (over FTP). This is how we cross reference potential voters (starred licenses), vs DL#, vs past primary voting, cross referenced against ph# dbs.
> The advice we give people today is don't have a password, have a passphrase," said Lee.
What is meant by this? Is the distinction between "word" and "phrase?" As in "don't have 'horse' have 'correct-horse-battery-staple'" because that's a "phrase?"
Texas leadership has a history of choosing shady vendors who screw its residents. It goes right to the top offices. Did you know that our state attorney general is under criminal indictment?
Ahh, here we go again! The data breach merry go round.
Tip to anyone reading this: Use HN/search and find other examples of data breaches to know exactly how these comments will play out, we can even use an AI to simulate this exact situation!
"We're weally sowwy about this, have free credit reporting on us! (P.S we don't care, nothing bad will actually happen to us so sucks to be you! bye!)"
(source: Experian/Equifax leaks or any data leak ever)
Meanwhile nothing ever changes, nobody is imprisoned or even mildly inconvenienced whilst those affected have to deal with the fallout...
To be honest, it'd be better to stop calling them "breaches" and just call it "already public data was made public, again".
This data is not, was not, and can not be considered 'private' at this point. Your data is always leaking; consider your name/address/SSN/DOB and anything else part of the immutable public record.
I appreciate that the Texas DMV wasn't the direct cause of this breach, but they can't completely pass the buck to Vertafore. At the very least, I would think they need to issue 28 million new licenses with new license numbers and invalidate the old ones. And, since this is likely to be an expensive and time consuming process, they should probably sue Vertafore to make them pay for it.
And while they're at it, they should probably make sure that Vertafore is never allowed to access this data again.
Realistically, none of this will happen, the compromised DL #s will remain valid in perpetuity (I just had someone tell me they moved out of Texas for 5 years and were issued the same DL # when they moved back), and Vertafore won't even be fined.