Word is trickling out, although it has not formally reached the victims, that a security breach involving California's Department of Motor Vehicles (DMV) has exposed credit card information of online customers.
DMV said the breach did not occur in its computers and pointed a finger at an unidentified vendor that processes its credit card transactions.
It is unclear how many people may be affected, but former Washington Post reporter Brian Krebs, who broke the Target credit card story last year on his website, KrebsOnSecurity, called the breach “wide-ranging.” MasterCard confirmed that it sent alerts to five financial institutions with information about their customers who may have been affected. So far, there is no word of a similar alert from Visa.
The alert said that the compromised transactions occurred between August 2, 2013, and January 31, 2014, and stolen data may include the credit card number, expiration date and three-digit security number on the back of the card. Krebs said it was unclear exactly what information was revealed and may include, “Drivers License and Social Security numbers, email and physical addresses, phone numbers and other personal data.”
Since no one was speaking for the record with any firm numbers, Krebs penciled out some calculations based on online traffic at DMV, sketchy bank comments and the Target debacle that impacted 40 million people.
A source at one bank contacted by Krebs said 1,000 of its customers were affected, compared to 3,000 in last year's Target breach. “We’re seeing two percent of our card base compromised as a result of this, and our cards are 100 percent concentrated here in California,” the source told Krebs. “It’s a huge exposure window.”
DMV does not accept credit cards at its offices, so the breach apparently only involves credit card transactions. Department records indicate a huge surge in card use in 2012, with more than 11.9 million transactions. That's a 6% increase over the year before. But the DMV report was published on January 13, 2013, and an updated report for this year was not available on its website.