You’ve been hacked. We’ve all been hacked.
No one else has said it, but The Watchdog will. This is likely the largest and one of the more significant data breaches ever to hit Texans.
About 27.7 million Texas driver’s license holders are affected.
If you haven’t heard about this, that’s part of the problem. It’s almost like no one wants you to know.
Why 27.7 million affected licenses when Texas’ total population is around 28 million? Because the number includes former state residents and dead people who were issued licenses before February 2019. So, it includes just about everybody who held a Texas license going back an unknown amount of years. It doesn’t include children.
The Watchdog has the story.
Yes, the information involved here is already available on a paid data site such as PublicData.com, although that site is not always current. But there you have to look up each individual. With this breach, all the information is already bundled and in one place.
What do the crooks have? Your license information (name, address, DL number), the color, model, year and VIN of your vehicle and the lender to whom you make car payments.
I’ll show you how this happened, what crooks can do with the information and how you can be prepared.
The culprit here is a company you probably never heard of — Vertafore of Denver, which, like many companies, buys data from state governments. Vertafore works with the insurance industry to concoct ratings that help agents, brokers and others.
“As a result of human error,” Vertafore says in a news release, “three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization.”
Someone found the information and grabbed the files before Vertafore realized it, the company says.
The FBI and state law enforcement are investigating.
It appears to The Watchdog that although this data breach began in March and continued to August, our Texas Department of Motor Vehicles, which stores vehicle information, and the Texas Department of Public Safety, which handles licenses, probably didn’t know about the hack until recently because their own databases were not compromised.
How do I know that?
The answer is revealing. First, initial word of this giant breach didn’t come from authorities or from the company. It came from a couple of Watchdog readers who got alerts from their Experian identity protection service that their driver’s license information was available on the dark web.
They apparently knew about this before state officials and local police departments did. That’s embarrassing.
After hearing from the two readers, I contacted DMV and DPS on Oct. 1 and asked if they knew about it. DMV sent me to DPS, which reported back that its databases were not compromised. I told the two readers and published the information that there was no hack. But there was.
DMV told me later it learned about the breach in mid-October. DPS said it was checking when it first learned, but DPS didn’t tell me.
These two readers — M. Perry and Sandra Bakkethun — were like canaries in the coal mine, warning ahead of time that there’s a leak, either in a mine, or in this case, an all-encompassing data breach. Hats off to Experian for catching this first.
“Thanks for reaching out,” a DPS spokesperson wrote to me on Oct 2, in response to my first inquiry. “DPS has no indication that there has been a breach of the Texas driver’s license system. The department is currently working with other governmental entities as well as the FBI to gather more information.”
DMV spokesperson Adam Shaivitz told me last week, “We were not aware of this incident at that time [when I originally asked in early October]. The Office of the Attorney General has an active investigation regarding Vertafore’s breach.”
The AG’s office declined comment because an investigation is pending.
‘Concerned and irritated’
Before I tell you how crooks can use it and what you can do, I want to publicly thank Perry and Bakkethun for alerting me early on, even if I couldn’t verify it at first.
When I informed them later that they were right, Perry said, “Well, well. My reaction is I’m not the least bit surprised. No wonder I had no idea about it until I was alerted to it being on the dark web. I knew eventually you’d find out something because when I called the police to report it, and they told me five or six other people had called the same day about the same thing, I knew that’s not just a coincidence.”
Crooks don’t need the actual physical driver’s license, something Perry, at first, didn’t understand.
“I don’t understand how or when my driver’s license could have been compromised. I have it on me at all times, and the only time I ever use it is if a doctor’s office needs it.”
Bakkethun, who first contacted me in September, said, “I am a little concerned and a lot irritated.”
She went on the DMV’s website looking for information, but there was none. (Remember, DMV said it didn’t know.)
“I am also wondering if you have any ideas about what I should do now about my license. Any suggestions are greatly appreciated.”
‘Lots of ways’
I do. But first, some good news. Here’s what was not taken: your signature on your driver’s license, photograph, audit number, eye color, gender or height information. No Social Security numbers or other financial account information were taken.
The culprit company said in a statement, “We are also not aware of any way this information could be used to commit fraud.”
Doh. Here, I must educate Vertafore on how this thievery works.
If I’m a crook, I can send you a letter or email pretending to be from your lending institution, identifying the correct vehicle you own and asking you to send your payment to a different address. Or possibly, the thieves could offer you a special rate on your loan and ask you to click on a malicious web address or confuse you enough so you send them money. There’s a whole lot of ways to do this, Vertafore.
A new state law requires that companies must notify authorities and consumers within 60 days of a data breach. So that’s not much help here either. Nobody has officially notified you or me about this yet.
So what can you do?
First, note that Experian was the first alert here. My identity theft service has yet to inform me.
Second, keep an eye on your credit report, which you can get free. Go only to www.AnnualCreditReport.com or call 1-877-322-8228.
Third, Vertafore is offering us one year of free credit monitoring and identity restoration services. You can check in with Vertafore at 888-479-3560. Their website for this is www.vertafore.kroll.com.
Fourth, put a fraud alert on your credit accounts. I’ve shown how to do that before with Experian, Equifax and TransUnion.
If you want to learn more, The Watchdog recommends www.consumer.gov/idtheft and the Texas DPS Identity Theft Information Guide and the Identity Theft Resource Center (Idtheftcenter.org).