The headquarters of the California Department of Motor Vehicles in Sacramento in January 2009. Credit: Coolcaesar/Creative Commons
The California Department of Motor Vehicles has suffered a data breach that could involve the credit and debit cards of millions of people, independent security researcher Brian Krebs reports.
Sources at five different banks told Krebs they had received private alerts from MasterCard that cards used online to pay DMV fees between Aug. 2, 2013 and Jan. 31, 2014 may have been compromised.
In a posting on his Krebs on Security blog today (March 22), Krebs said he was told the stolen information included standard "card not present" data — card number, expiration date and the three- or four-digit security code printed on the card.
It wasn't clear whether cardholder names or contact information, or more sensitive personal data, such as drivers' license numbers or Social Security numbers, were affected.
Even without names, card not present data can be used to fraudulently purchase items online or over the telephone. The printed security card code is meant to verify that the purchaser is in physical possession of the card.
Residents of California can pay most DMV fees online, and Krebs found a press statement that said 11.9 million California DMV payment transactions had been conducted online in 2012. California had 23.8 million licensed drivers in 2011, according to the U.S. Department of Transportation.
The number of credit cards affected in the California DMV data breach was not available, but one source at an unnamed small bank told Krebs the bank had received a list from MasterCard of more than 1,000 compromised cards that had been used at the DMV.
"We're seeing two percent of our card base compromised as a result of this, and our cards are 100 percent concentrated here in California," Krebs' source told him. "That's still a big number, and it's a huge exposure window."
By comparison, Krebs' source said, the bank had just over 3,000 credit cards impacted by December's Target data breach, in which 40 million cards were compromised nationwide.
A Visa representative told Krebs the company knew of the California DMV breach, but had not sent out a private alert to card-issuing banks.
Credit or debit cards are considered compromised if they have been used for fraud, or if there's a risk of them being used for fraud.
To keep track of compromised credit and debit cards, banks and payment services monitor fraudulent transactions and watch underground "carder" websites for data dumps of stolen card numbers. Researchers look for common points of usage among stolen cards to establish where data breaches have taken place.