State

California DMV data breach shared Social Security information of thousands

About 3,200 residents had their personally identifying information made available to seven other federal and state agencies, including the U.S. Department of Homeland Security.

By Ryan Johnston

November 6, 2019

(Omar Bárcena / Flickr)

More than 3,000 California residents had their personal information, including Social Security and driver’s license information, improperly accessed by seven other agencies as part of a data breach announced by the state’s department of motor vehicles on Tuesday.

Over the last four years, federal agencies, including the Internal Revenue Service, U.S. Department of Homeland Security and Small Business Administration, as well as the district attorneys offices in Santa Clara and San Diego counties, were granted access to the Social Security information of 3,200 people who were under investigation or serving as witnesses in criminal cases.

The breach, which did not involve hacking, was found Aug. 2 by the DMV, which cut off access to the information upon discovery, Anita Gore, an agency spokeswoman, told the Los Angeles Times. The DMV also issued letters to the breach victims who are not under investigation. But Gore said notifications took three months because the agency had to ensure that it did not tip off people who are actually the targets of investigations.

The breach was discovered just weeks after Gov. Gavin Newsom appointed a new DMV director to correct the agency’s myriad IT problems, which have also included a botched rollout of Real ID-compliant licenses, and mis-registering 23,000 voters.

The Santa Clara and San Diego prosecutors were responsible for accessing data on 3,000 of the 3,200 people included in the breach as part of criminal or tax investigations. DHS accessed information on fewer than 200 people, including six immigrants who were in the country illegally. It’s unclear if the information was accessed to investigate the immigration status of those people, DMV officials said. California has since 2013 issued licenses to undocumented immigrants who can prove their identity and state residency, with officials saying that information would not be shared with federal immigration authorities.

“Protection of personal information is important to DMV, and we have taken additional steps to correct this error, protect this information and reaffirm our serious commitment to protect the privacy rights of all license holders,” Gore, the DMV spokeswoman, told the Times. “That’s why DMV immediately began correcting the access error following a legal compliance review, ensured that no additional confidential information was disclosed to these entities, and has implemented several additional layers of review.”