DMV Breach Investigation: An AnalysisExperts Don't Suspect Link to Retailer Attacks
It could be several days or weeks before the California Department of Motor Vehicles confirms whether its online payments processing system was the target of a cyber-attack that ultimately compromised credit and debit card details.
See Also: 2016 State of Threat Intelligence Study
But financial services industry sources tell Information Security Media Group that if the breach at the California DMV is ultimately confirmed, it's not likely that the attack would be found to be connected to the wave of point-of-sale compromises that exposed payments card data at national retailers Target Corp., Neiman Marcus, Sally Beauty Supply and others.
They point out that transactions potentially compromised at the DMV are card-not-present transactions conducted online, while in all of the recent retail breaches, compromised card details were traced back to card-present transactions conducted at points of sale within stores. As a result, they don't believe a DMV breach, if confirmed, would be linked in any way to the retailer breaches.
Details from DMV
In a statement issued March 22, the California DMV says it was alerted by law enforcement of a "potential security issue within its credit card processing services." However, no evidence of a direct breach of the DMV's computer system has yet been found, the department adds (see Calif. DMV Investigates Possible Breach).
"In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV's credit card transactions and the credit card companies themselves," states Armando Botello, public information officer for the California DMV, in the statement.
Two card issuers tell Information Security Media Group they have received alerts from MasterCard regarding suspicious card activity linked to the California DMV that could suggest a breach.
But MasterCard would not comment about whether it had identified suspicious activity linked to the DMV. It did say, however, that MasterCard's own systems had not been attacked.
The DMV's payments processor, Atlanta-based Elavon Inc., a business unit of U.S. Bancorp, did not respond to Information Security Media Group's request for comment about whether it suspected its network had been breached. But Teri Charest, a spokeswoman for U.S. Bank, says Elavon is reviewing a possible compromise with the DMV.
"We are in touch with the CA-DMV and the authorities to determine if there is an issue," she says.
What Compromise Could Mean
Shirely Inscoe, a fraud expert and analyst for consultancy firm Aite, says if online DMV transactions were compromised, card issuers serving California should be bracing themselves for significant upticks in fraudulent transactions.
That's because if a breach did occur, then it's safe to assume that the three-digit security code, also known as the card verification number, used to authorize card-not-present transactions also was compromised, Inscoe says.
"This data can be used for online purchases without any problems until all the cards are shut down," she says.
While the DMV says there is no evidence to suggest that its own computer system or network suffered a direct breach, John Buzzard, who oversees FICO's Card Alert Service, says he believes if a breach did occur, it was a contained event. Buzzard says if a third party had been compromised, fraudulent transactions would be traced to other merchants as well.
"Typically, with a processor-level breach, you have several merchants affected because they all do business with the same processor," he says. "If this is a single merchant and no one else is involved, then I'm thinking that the real answer is going to come out of a post-forensic investigation."
But Al Pascual, an analyst with the consultancy Javelin Strategy & Research, says if a breach at the processor is to blame, then card issuers will have much bigger worries on their hands.
"A potential processor breach is far more disconcerting, given that a huge volume of card data across multiple merchants could be affected," he says. "While there has been no word that any cards other than those processed by the California DMV were compromised, Elavon should get out ahead of this story, especially considering the enhanced vendor management focus being espoused by regulators and PCI."