The California Department of Motor Vehicles has been breached, potentially exposing millions of driver registration records.
The California DMV data was accessed through a compromised third-party vendor - Automatic Funds Transfer Services (AFTS). The DMV contractor fell victim to a ransomware attack that could expose 20 months of DMV business records.
“Automatic Funds Transfer Services, Inc. (AFTS) of Seattle was the victim of a ransomware attack in early February that may have compromised information provided to AFTS by the DMV, including the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers (VIN).” California DMV said in a statement.
When a vendor is breached, all of its clients could be impacted through internal pools of shared sensitive data. The back door attack method, known as a third-party or a supply chain attack, targets vendors with poor security practices. A single breach exposes a treasure trove of sensitive data for multiple clientele.
The pressure to quickly salvage sensitive data before clients are impacted makes third-party breaches ideal for ransomware attacks. In a Ransomware attack sensitive data is seized and only released if a set ransom price is paid.
But the release of seized data is never guaranteed, for this reason, the FBI strongly discourages ransomware payments. Even if AFTS manages to salvage its compromised data, there’s no assurance that it hasn’t already been exfiltrated and sold on the dark web.
Organizations take a significant risk when onboarding vendors. Relinquishing sensitive data is necessary for integration, but without upgrading security practices, this inexorable effort will always introduce dangerous vulnerabilities.