According to information security specialists, the California Department of Motor Vehicles (DMV) suffered a data breach that exposed the Social Security numbers of thousands of city drivers; the incident would have given other government agencies undue access to this information.
This incident is particularly serious for illegal migrants residing in the state, as the leaked records specify which drivers do not have a social security number, which would reveal their immigration status. The city government says there is no way for migration agencies to have access to these records.
However, the California government noted that some law enforcement agencies have accessed this information as part of investigations into illegal activities.
As per information security specialists, agencies that would have accessed this information include the IRS, the Small Business Administration, and the offices of San Diego and Santa Clara district attorneys; specialists have been unable to determine whether any migration agencies gained access to this information.
On the other hand, the DMV claims that the information was exposed due to an internal error, not as a result of a cyberattack against its IT systems. In addition, the Department asserts that unauthorized access was shut down immediately after it was detected, on the morning of last August 2.
It is estimated that the information of just over 3,200 drivers was exposed during this incident; the Department stresses that all affected users have already been notified. “The security of personal information is vital for DMV; the necessary measures have already been implemented to correct this failure; we deeply regret the inconveniences this problem may have caused,” says a statement from the Department.
Ultimately, Anita Gore, a spokesperson for the DMV, told before local media: “We want to emphasize the fact that no other personal record was exposed during this incident; the DMV immediately began an incident correction process to contain the scope of the leak”.
Although the DMV claims that it was not the target of a cyberattack, specialists from the International Institute of Cyber Security (IICS) consider it relevant that the organization conduct a thorough review of its information security policies and practices, to ensure that these kinds of errors won’t happen again.