SACRAMENTO (CBS SF) -- A security breach at the Department of Motor Vehicles may have exposed vehicle registration information from millions of Californians.
The DMV said Wednesday that their vehicle registration records may have been involved in the security breach of a contractor used by the DMV.
Seattle-based Automatic Funds Transfer Services (AFTS) was the victim of a ransomware attack earlier this month that may have compromised information provided to AFTS by the DMV, including the last 20 months of California vehicle registration records.
DMV Spokesperson Anita Gore told KPIX 5 that the state agency is notifying customers out of an abundance of caution about the ransomware attack.
"It does not include social security number. It does not include driver's license information so there's no financial information at all," said Gore. "We know that this third party had a ransomware attack. They held onto some of our information but we have no indication that anybody has done anything nefarious with that information."
California registered some 35 million vehicles in 2019, including cars, trucks, motorcycles and other vehicles.
The DMV said the registration records include names, addresses, license plate numbers and vehicle identification numbers. AFTS does not have access to customers' driver license information, Social Security numbers, birthdates, voter registration, or immigration status, and therefore that date was not compromised, according to the DMV.
Once notified of the breach, the DMV said it stopped all data transfers to AFTS and notified law enforcement, including the Federal Bureau of Investigation.
"Data privacy is a top priority for the DMV. We are investigating this recent data breach of a DMV vendor in order to quickly provide clarity on how it may impact Californians," DMV Director Steve Gordon said in a press statement. "We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with."
The DMV said there was no indication that information accessed by the ransomware attack on AFTS has been used for any nefarious reason, but customers were urged to report any suspect activity to law enforcement.
The agency said it was contracting with a different address verification company on an emergency basis to make sure there were no impacts to customer service.
While the security breach may have not compromised financial information, Armen Najarian with RSA Security said this is a concerning trend.
"This is the type of attack that we have been following for a long time," said Najarian. "This is what we would call a supply chain exploit."
Najarian told KPIX that by by attacking smaller suppliers that haven't invested in the latest security technology, thieves are getting access to critical information through the back door. That information can be used to file fraudulent claims.
"It's death by a thousand cuts and that's the concern that yet another important bit of information is now out there among the organized fraud communities," Najarian explained.
In 2019, a report showed the California DMV collected $51 million the previous year by selling drivers' personal information, including names, addresses and car registration information.
The DMV also acknowledged in 2019 it improperly disclosed the private information of 3,200 people to seven government agencies.
Before the pandemic, ongoing problems with excessive wait times and the rollout of the Real ID program prompted outrage from lawmakers and customers and led to staff retraining and leadership changes.
Andrea Nakano contributed to this story.
for more features.