Brian Krebs reports that what’s already been a bad month for California residents in terms of data breaches just got worse:
The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used at California DMV locations.
The alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.
Read more on Krebs on Security. There is no statement up on DMV at the time of this posting, nor any notification to the California Attorney General’s breach website (yet).
Update 1: California DMV says they’ve found no evidence of a direct breach of their computer system.
Update 2: Krebs suggests the breach may be at DMV’s payment processor, which he identified as Elavon. He has been unable to reach them for a response.
Update 3: Krebs could not reach Elavon officials for comment, “But a spokesperson for Elavon parent firm U.S. Bank told him that ‘there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue.’ ”