Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Data of 27 Million Texas Drivers Compromised in Breach

Misconfigured Database Might Have Led to Data Exposure, Security Experts Say
Data of 27 Million Texas Drivers Compromised in Breach
(Photo: Wikipedia)

An unauthorized person apparently gained access to a database of insurance software firm Vertafore earlier this year and compromised the driver's license data of over 27 million Texas citizens, the company detailed this week.

See Also: 13 Essential Criteria to Consider For Cyber Resilience in IR & SoC Teams

Vertafore says in a statement issued on Nov. 10 that the entry was made between March 11 and Aug. 1, when someone gained access to a database within the company's insurance rating tool that contained information on Texas drivers.

The breach was discovered in mid-August, Vertafore says.

"The files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories," the company reports.

Social Security numbers and financial account information for the drivers are not stored in this database, nor is data pertaining to partners, vendors or other supplier data, according to the statement. The company adds that no system vulnerabilities have been identified.

The Texas Department of Transportation did not immediately reply to a request for comment.

Misconfigured Database?

The possibility that a system vulnerability does not exist could mean the data was obtained through a database configuration error, says Tim Wade, technical director of the CTO Team at security firm Vectra.

"Early reports seem to indicate that a misconfiguration is at the root cause of this disclosure," Wade says. "Unfortunately, this is all too common, and if those reports are accurate, this is an example of how serious even something as seemly innocuous as a simple access misconfiguration can become."

Misconfigured databases leading to data loss have plagued hundreds of companies over the past several years. Bill Santos, president of Cerberus Sentinel, says having a security-aware corporate culture is key to stopping these types of incidents, which are almost always due to human error.

Javvad Malik, security awareness advocate with KnowBe4, says the problem can be addressed through training and education as well as deploying technical controls.

In its statement, Vertafore notes that it's still investigating the incident with security firms. Law enforcement agencies in Texas and the FBI are also investigating.

"Vertafore immediately engaged a leading intelligence firm to search for evidence indicating potential misuse of this information in connection with this event," according to the company. It adds that no evidence so far has been uncovered to indicate the compromised information has been misused. Vertafore is offering those affected one year of free credit monitoring and identity restoration services.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.