Potential Data Breach at California DMV

The California Department of Motor Vehicles has issued a warning regarding a possible data security incident. This alert follows a ransomware attack targeting one of its contractors.

Contractor Affected by Ransomware

Automatic Funds Transfer Services (AFTS), a Seattle-based company utilized by the DMV since 2019 for verifying address changes against a national database, recently experienced a ransomware attack. The specific ransomware strain involved remains undisclosed.

Data Potentially Compromised

According to a DMV statement, the breach may have exposed California vehicle registration records from the past 20 months. This data includes names, addresses, license plate numbers, and vehicle identification numbers.

Importantly, the DMV confirmed that AFTS does not possess, and therefore the breach did not compromise, customers’ Social Security numbers, dates of birth, voter registration details, immigration status, or driver’s license information.

DMV Response and Mitigation

The DMV has immediately halted all data transfers to AFTS. Furthermore, an emergency contract has been initiated to ensure uninterrupted service.

Wider Impact of the Breach

AFTS provides services across the United States, processing payments, invoices, and verifying addresses for various entities. Several municipalities have already acknowledged being affected by this data breach, indicating the scope may extend beyond the California DMV.

Attribution to Cuba Ransomware Group

Brett Callow, a ransomware expert and threat analyst at Emsisoft, suggests the Cuba ransomware group is the likely perpetrator. TechCrunch verified that a dark web site associated with the Cuba group lists AFTS as a victim.

The group claims to have stolen a range of sensitive data, including financial documents, bank correspondence, account movements, balance sheets, and tax records.

Ransomware Tactics Evolving

Traditionally, ransomware encrypts files, demanding a ransom for their decryption. However, many groups now also steal sensitive data and threaten public release unless a ransom is paid, capitalizing on the potential damage of data exposure.

Cuba Ransomware Group Profile

“Cuba is a data-exfiltrating ransomware group first observed in December 2019,” explained Callow to TechCrunch. “Their activities may have begun earlier, as some published data predates this timeframe.”

The ransomware employed by this group is considered secure, meaning encrypted data is unrecoverable without ransom payment. Unlike some groups, Cuba sometimes attempts to sell the stolen data, though the success of these sales remains unclear.

Growing Ransomware Threat

Emsisoft’s data reveals that over 1,300 public and private sector organizations had data published on leak sites in 2020. Many more likely paid ransoms to prevent publication. This represents a significant and escalating problem.

Attempts to Contact the Ransomware Group

TechCrunch reached out to the Cuba ransomware group for comment but has not yet received a response.

AFTS Status and Response

AFTS is currently unreachable for comment. Their website is offline, displaying a message indicating “technical issues” and a commitment to restoration.

DMV Director’s Statement

Steve Gordon, the California DMV’s director, stated that the department is actively evaluating and implementing additional security measures to protect data held by the DMV and its contracted partners.

Previous Data Sales by California DMV

Reports from last year indicate that the California DMV generates over $50 million annually by selling drivers’ personal information to entities such as bondsmen and private investigators.

Scale of California Vehicle Registrations

California currently has more than 35 million registered vehicles.

Update

This article was updated on February 19 with new information from Emsisoft regarding the Cuba ransomware group.