"The breach of information was caused by Vertafore. The Texas Department of Motor Vehicles was not hacked and was not the cause of the breach."
I appreciate that the Texas DMV wasn't the direct cause of this breach, but they can't completely pass the buck to Vertafore. At the very least, I would think they need to issue 28 million new licenses with new license numbers and invalidate the old ones. And, since this is likely to be an expensive and time consuming process, they should probably sue Vertafore to make them pay for it.
And while they're at it, they should probably make sure that Vertafore is never allowed to access this data again.
Realistically, none of this will happen, the compromised DL #s will remain valid in perpetuity (I just had someone tell me they moved out of Texas for 5 years and were issued the same DL # when they moved back), and Vertafore won't even be fined.
It's ridiculous that the DMV is passing the buck at all on this. The DMV are the originators of the data. It is their responsibility to make sure that any third party who has access to this data has the appropriate security in place to protect that data.
This isn't some far-fetched premise, either. "Third Party Risk Management" is a basic part of pretty much every cyber security framework I can think of. It is even part of the NIST CSF, which every government entity in the US is supposed to be following.
Vertafore's failure is the DMV's failure, and heads should roll at the DMV.
It's also a little ridiculous that this information is still valuable from a fraud perspective. It's completely possible to run as SmartId/Card system (similar to the Estonian national id / e-residency).
So long as just knowing some of these details has value like getting fraudulent credit cards the problem will exist, and criminals will find ways of accessing the data.
Now granted, stuff like the home address is always going to be valuable, but less so if its not as useful for identity theft.
> It's completely possible to run as SmartId/Card system (similar to the Estonian national id / e-residency).
That’s not necessarily a good example of doing it well. Unless something changed since I last looked, after the Estonian certs were all found vulnerable, allowing impersonation and forged signatures on official government documents, the government refused to reissue new certs to citizens.
In other words, they were effectively in the same place as Texas.
I don't think that is accurate. The rollout took time but ultimately disabled certificates that weren't updated. It also didn't lead to major attacks as weak keys still needed to each be exploited.
Sending 3rd parties perfect copies of private data of your citizens to run a credit scheme is a different place.
Exactly. Who on earth could expect that they just copy the entire database to a minor insurance company? The data will always be incomplete, out of date and insecure. Not providing a proper query service to all the insurances is a major fault, and the responsible people should be fired immediately.
Basically, this is the structure that the GDPR mandates: the data controller (entity that processes data on behalf of the customer) is liable for data security breaches, regardless of whether the breach occurred at themselves or a third-party data processor.
Eventual fines will also be shared by them, and the ratio will depend on how diligent the controller was in selecting and auditing their data processor(s). Exactly because it's too easy to outsource your exposure risk along with your customers' data.
DMV can't afford the kind of external auditing that would've caught this. Not with their current budget. Setting aside taxes etc, what do you propose a public service organization should do in these situations other than trust a company to do what they're saying?
edit: removed a statement distracting from the two questions.
Why should we set aside taxes? Texas is allergic to taxes and the state government loves to keep itself running on a shoestring budget, but as we can see here, that's just robbing Peter to pay Paul. Adequate funding to run a proper audit and risk management program is definitely the way to go.
Yeah it might be distracting from the two questions I did ask. I'll remove the statement because it seems to ruffle some political feathers.
It wasn't intended politically, but rather to say the tax situation is a known quantity already which is why the second question asked to set that aside before answering.
If lenders are held liable for Equifax/TransUnion/etc breaches, they will stop sharing information about debtors, leading to more expensive credit/a freezing of consumer lending.
It wasn’t so long ago that credit card companies would just send out cards to everyone in a postal code, the idea was you had to return it if you didn’t want it, or they assumed you did and charged you the annual fee. Or you accept the fee and start using the card. It took an act of congress to stop them from doing that.
Around that same time the credit card companies were also getting a lot of flack for issuing cards to newborns, pets, and the deceased. That also took an act of congress to stop.
The US credit agencies themselves are only a few decades old, people have been borrowing and lending for a bit longer then that - you can read about it in the Old Testament.
On the contrary, this year credit scores have been rising and interest rates falling despite borrowers, in reality, being at a greater risk of default today than maybe any other time since 2008.
Maybe the real service provided by the credit data sharing is how data is used almost everywhere in reality: marketing?
I suspect their basic service is to outsource responsibility.
If each lender does their own due diligence and risk ranking, any lender that has an above average failure rate will take a lot of flack from their investors and regulators.
If they say "We use the same scoring formulas and credit files as everyone else", they can push the blame back to the bureaus.
> (I just had someone tell me they moved out of Texas for 5 years and were issued the same DL # when they moved...
California too, one keeps the same number for whole life, all between ID, License, Commercial & anything in between. The only way to change it by religious objection to the number like 666 or 999 or such; or if somehow DMV issued same number to two persons; which has happened in past long ago.
My wife and left Texas in 2013, moved back about 18 months later in 2014. They told us we couldn't renew/update our licenses and had to get new ones (both would have not expired yet). When we recevied the "new" ones, the numbers and expiration dates were the same.
Texas is by far the worst state I've lived in for getting your drivers license and vehicle registrations.
Passing the hot potato is incident management 101 for organizations processing personal data with an external service. This happens to public / state agencies of many countries every now and then. Many of these incidents seem to be caused by systems allowing weak passwords.
It is a big part of the reason that service providers and consultants exist and command the fees that they do. They are implicitly signing up to be the fall guy if the project doesn't go well.
I appreciate that the Texas DMV wasn't the direct cause of this breach, but they can't completely pass the buck to Vertafore. At the very least, I would think they need to issue 28 million new licenses with new license numbers and invalidate the old ones. And, since this is likely to be an expensive and time consuming process, they should probably sue Vertafore to make them pay for it.
And while they're at it, they should probably make sure that Vertafore is never allowed to access this data again.
Realistically, none of this will happen, the compromised DL #s will remain valid in perpetuity (I just had someone tell me they moved out of Texas for 5 years and were issued the same DL # when they moved back), and Vertafore won't even be fined.