Vertafore Leak: Private Data of 28M Texans

An insurance software vendor ’fessed up to losing control of a huge cache of personal data. Vertafore Inc. lost the details of 27,700,000 Texas drivers.

The company is being hazy with the details, but it sounds like yet another misconfigured cloud bucket. What’s worse is there’s evidence that the data has been “accessed without authorization.”

But all this happened months ago. In today’s SB Blogwatch, we wonder why we’re only hearing about it now.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: BOOM.


TX PII FAIL

What’s the craic? Catalin Cimpanu reports—“Info of 27.7 million Texas drivers exposed”:

 The incident is believed to have taken place sometime between March 11 and August 1, and happened as a result of human error when … files were inadvertently stored in an unsecured external storage service. … Vertafore said … they discovered that the files had been accessed without authorization.

Exposed data included Texas driver license numbers, names, dates of birth, addresses, and vehicle registration histories. … An investigation is underway. The company is now also notifying Texas drivers whose data was exposed in the breach.

And Maggie Miller adds—“breach exposed nearly 28 million Texas driver’s license records”:

 The company noted that it has alerted the Texas Department of Motor Vehicles (DMV), the Texas Department of Public Safety (DPS), Texas Attorney General Ken Paxton (R) and federal law enforcement authorities. … A spokesperson for the Texas DMV [said] the Texas Attorney General’s Office had opened an investigation … but emphasized that none of the systems affected were Texas government networks.

“The Texas Department of Motor Vehicles was not hacked and was not the cause of the breach. … The Texas Department of Motor Vehicles takes protecting consumer information very seriously. The department classifies and protects data based on existing statutory regulations and industry principles, and retains and destroys all data in accordance with state and agency data retention and data sanitization policies.”

The Texas DPS similarly distanced state government systems from the breach: “There has been no breach of the Texas Driver License System or any other DPS database. … The Texas Attorney General’s Office, DPS, Department of Motor Vehicles and U.S. federal law enforcement are all looking into the matter.”

Ouch. What do the perps have to say for themselves? Making it sound like some sort of party—“Vertafore Data Event”:

 Vertafore takes data privacy and security very seriously. [Apparently not seriously enough. Every single org that leaks data spouts this pablum—could you not find something less empty to say]

Immediately upon becoming aware of the issue, Vertafore secured the potentially affected files and has been investigating the event. [Shame you didn’t manage to secure the public’s data earlier.]

A leading consulting firm with expertise in these matters is assisting in the investigation. [Did that firm advise you to sit on this news for almost three months? Or was it that you didn’t want to derail your acquisition by Roper?]

Vertafore is actively assisting law enforcement. [Excellent news. Po-po hate it when people help them passively.]

And brendoelfrendo is similarly unimpressed with the DMV’s response:

 I appreciate that the Texas DMV wasn’t the direct cause of this breach, but they can’t completely pass the buck to Vertafore. At the very least, I would think they need to issue 28 million new licenses with new license numbers and invalidate the old ones.

Since this is likely to be an expensive and time consuming process, they should probably sue Vertafore to make them pay for it. And while they’re at it, they should probably make sure that Vertafore is never allowed to access this data again.

Realistically, none of this will happen, the compromised DL #s will remain valid in perpetuity. … And Vertafore won’t even be fined.

Aye, there’s the rub. So says rmdingler:

 Data breach lawsuits often fail because proving harm is nebulous. … Despite repeatedly routine carelessness with other peoples private information, penalties for security sloppiness never seem to get ramped up by our governors.

Until penalties for these infractions become much more severe, there will be no industry willingness to spend on security. Something like if the penalty for a breach is credit card related, you can’t accept those for payment for X months or until you sort it out to an oversight board’s satisfaction.

Wait. Pause. Is this actually a huge deal? austincheney thinks not:

 They also didn’t release anything that wasn’t already available by a variety of other means. This is all non-sensitive public data. So many comments … are an ad hoc emotional (crying) response to the phrase “leaked data” without any thought as to actual harms.

It is all public data irrespective of what you want. … You are imagining a harm that doesn’t exist.

I say this as somebody who lives in Texas, a supposed victim.

But, hey, at least nobody’s Social Security numbers were leaked, eh? “Great,” says stabiesoft, sarcastically:

 Now whoever buys this data breach info can easily match my name/DOB with their other breach with my SS# and fill in my DL and vehicle info. I imagine they already have my address from previous breaches. Thanks, Texas.

“I started with this thought half-jokingly,” writes function_seven, “But now I think I’m serious”:

 Every single SS# needs to be made public, along with the assigned name. Not just known-breached, but somewhere where it’s obvious that anyone could look it up as easily as looking up a phone number or mailing address.

Using Social Security numbers as some sort of proof you’re who you say you are is bat**** crazy these days. But we all pretend that it’s still secure somehow. If there was an embarrassingly public list of all SS#s, then banks would be forced to improve their vetting of applicants.

Meanwhile, this Anonymous Coward joins the dots:

 The Govt wants to restric our encrypting, but THEY are too stupid to use it in the first place.

And Finally:

That time an explosion at a fish-bait farm was heard 20 miles away

Hat tip: Andrea James

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Avi Werde (via Unsplash)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 189 posts and counting.See all posts by richi