Data of 27 Million Texas Drivers Compromised in BreachMisconfigured Database Might Have Led to Data Exposure, Security Experts Say
An unauthorized person apparently gained access to a database of insurance software firm Vertafore earlier this year and compromised the driver's license data of over 27 million Texas citizens, the company detailed this week.
Vertafore says in a statement issued on Nov. 10 that the entry was made between March 11 and Aug. 1, when someone gained access to a database within the company's insurance rating tool that contained information on Texas drivers.
The breach was discovered in mid-August, Vertafore says.
"The files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories," the company reports.
Social Security numbers and financial account information for the drivers are not stored in this database, nor is data pertaining to partners, vendors or other supplier data, according to the statement. The company adds that no system vulnerabilities have been identified.
The Texas Department of Transportation did not immediately reply to a request for comment.
The possibility that a system vulnerability does not exist could mean the data was obtained through a database configuration error, says Tim Wade, technical director of the CTO Team at security firm Vectra.
"Early reports seem to indicate that a misconfiguration is at the root cause of this disclosure," Wade says. "Unfortunately, this is all too common, and if those reports are accurate, this is an example of how serious even something as seemly innocuous as a simple access misconfiguration can become."
Misconfigured databases leading to data loss have plagued hundreds of companies over the past several years. Bill Santos, president of Cerberus Sentinel, says having a security-aware corporate culture is key to stopping these types of incidents, which are almost always due to human error.
Javvad Malik, security awareness advocate with KnowBe4, says the problem can be addressed through training and education as well as deploying technical controls.
In its statement, Vertafore notes that it's still investigating the incident with security firms. Law enforcement agencies in Texas and the FBI are also investigating.
"Vertafore immediately engaged a leading intelligence firm to search for evidence indicating potential misuse of this information in connection with this event," according to the company. It adds that no evidence so far has been uncovered to indicate the compromised information has been misused. Vertafore is offering those affected one year of free credit monitoring and identity restoration services.