Data relating to millions of car owners in California may have been stolen after a third-party contractor used by the California Department of Motor Vehicles was struck by a ransomware attack.

The ransomware attack struck Automatic Funds Transfer Services Inc., a Seattle-based company that provides financial services and data management services the DMV uses to verify changes of address for car owners. Other than the ransomware attack reported to have taken place in early February, no details on the form of attack have been revealed. The website for AFTS is currently offline indicating that the ransomware attack may be ongoing.

In a statement released Wednesday, the DMV said the data compromised covered the last 20 months of California vehicle registration records, including names, addresses, license plate numbers and vehicle identification numbers. “AFTS does not have access to DMV customers’ Social Security numbers, birthdates, voter registration, immigration status or driver’s license information, therefore this data was not compromised,” the DMV noted.

The department added that it immediately stopped all data transfers to AFTS upon being notified of the potential breach and notified law enforcement, including the U.S. Federal Bureau of Investigation.

The data breach may be far larger than the California DMV. TechCrunch reported that AFTS is used across the U.S. to process payments, invoices and verify addresses. Several municipalities have already confirmed that they have been affected.

“The California DMV’s exposure of almost 38 million records confirms government organizations need stronger authentication to protect sensitive data, or any data for that matter,” Robert Prigge, chief executive officer of identity verifications company Jumio Corp., told SiliconANGLE. “Fraudsters can leverage the breached information to impersonate victims, access accounts set up with this information, submit fraudulent insurance claims or combine it with other exposed data to gain access to even more user accounts.”

W. Curtis Preston, chief technical evangelist at cloud data protection firm Druva Inc., noted that third-party contractors are targets for an attack because they have access to sensitive data and are seen as a backdoor into more secure systems. “The reality is that you are only as secure as your partner network, so it is critical to ensure vendors and partners are aligned on security protocols and requirements,” he said.

Photo: Coolceasar/Wikimedia Commons