Blogger and security researcher Brian Krebs reported Saturday, "The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services." He did not immediately know the victim of the breach, but had received a copy of a privately circulated warning from MasterCard being sent to financial institutions.
"Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT,” he wrote.
Krebs contacted the DMV and was told that the agency would investigate the matter. When he contacted them again he was told they were compiling an email statement for him – and when that arrived it turned out to be the same statement now available on the DMV website. DMV was already investigating the 'potential issue' after “The Department of Motor Vehicles [had] been alerted by law enforcement authorities to a potential security issue within its credit card processing services.”
DMV does not believe it's own computers were breached, but is conducting a forensic review "out of an abundance of caution." The statement says that it is "seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves." Without naming that external vendor, DMV is clearly suggesting that the fault lies there.
Krebs believes that merchant may be Elavon based on a Department of General Services agreement for Merchant Processing Services. It should be stated, however, that the agreement is dated 2010, and there is no current, at the time of writing this, indication of a security issue on the Elavon website.
At this stage there is little indication of the extent of any breach. However, the MasterCard warning seen by Krebs "stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards."
While this is unlikely to be as large a breach as the one that recently affected Target, it could easily pan out to a major issue. California drivers are advised to pay close attention to their bank statements.