Security Breach at Address Verification Company May Compromise DMV Information

Contact:  Office of Public Affairs
2415 First Avenue
Sacramento, CA 95818
(916) 657–6437 | dmvpublicaffairs@dmv.ca.gov

FOR IMMEDIATE RELEASE
February 17, 2021

Potentially impacts vehicle registration records, no driver’s license information
DMV working with law enforcement and assessing additional privacy protections

Sacramento – The California Department of Motor Vehicles (DMV), out of an abundance of caution, is notifying customers that a company it uses to verify vehicle registration addresses has had a security breach. DMV systems have not been compromised and it is unknown if DMV data shared with the company has been compromised. An investigation is under way.

Automatic Funds Transfer Services, Inc. (AFTS) of Seattle was the victim of a ransomware attack in early February that may have compromised information provided to AFTS by the DMV, including the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers (VIN). AFTS does not have access to DMV customers’ Social Security numbers, birthdates, voter registration, immigration status or driver’s license information, therefore this data was not compromised.

Upon being notified of the potential breach, the DMV immediately stopped all data transfers to AFTS and notified law enforcement, including the Federal Bureau of Investigation.

“Data privacy is a top priority for the DMV. We are investigating this recent data breach of a DMV vendor in order to quickly provide clarity on how it may impact Californians,” DMV Director Steve Gordon said. “We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with.”

The DMV has contracted with AFTS since 2019 to cross-reference addresses with the national database – which gets updated whenever someone files a change of address with the U.S. Postal Service National Change of Address Database – to ensure vehicle registration renewal notices are mailed to a customer’s current address. The DMV does not use this service to verify driver’s license addresses.

The DMV is initiating an emergency contract with a different address verification company to ensure there are no impacts to customer service. The DMV is reviewing processes with AFTS to determine the further security enhancements needed to prevent future breaches.

While the DMV Investigations branch has no indication at this time that information accessed by the ransomware attack on AFTS has been used by the attackers for any nefarious reason, the DMV urges customers to report any suspect activity to law enforcement. The DMV will continue to monitor the situation and work with the appropriate law enforcement agencies.