California DMV said to be source of recent data breach

Journalist Brian Krebs has the story. Sources within MasterCard shared an alert issued this week that reported a CNP (card-not-present) breach. The common thread is the California DMV. CNP transactions are typically associated with purchases made over the phone or online. In California, credit cards are not accepted at branch locations, just debit cards.

According to the MasterCard alert:

“…the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.”

Krebs contacted five different financial institutions to confirm the MasterCard alert. All of them confirmed it and the commonality between the flagged cards were “STATE OF CALIF DMV INT” – the record marker for a charge made at the department of motor vehicles online.

Visa also told Krebs they were aware of the California DMV incident, but have held back on issuing an alert.

They took my name, email, and phone number and quickly ended the call. My guess is that this is a bad time to be on-call in the media department.

It’s also worth noting that while all of the cards flagged by MasterCard have made a purchase at the DMV, that doesn’t mean the DMV is the source of the breach.

The source of the breach could be the company that processes all of the online transactions for the DMV.

Update:

As it turns out, my guess was correct.

In a statement, the California DMV says that the problem is with the firm that manages their credit card processing.

The statement, given to various media late in the evening eastern time on Saturday, said that law enforcement notified the California DMV about a potential security issue with their credit card processing services.

Further, the statement adds that there is no evidence of a direct breach of the California DMV systems.

“However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”

“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”

The question now, is who’s processing the credit cards for the California DMV, and who else are they processing cards for?

Update 2:

There are two possible processors at the California DMV. This is because the State of California has two primary sources of payment processing that bid to compete for business with various agencies. The first, as mentioned by Brian Krebs, is Elavon. The second is First Data.

On Twitter, a contact gave Krebs a link to a document that seems to be an agreement for merchant processing services with the state of California. I discovered the same document before knowing that Krebs published it by searching Google.

Along with the document for Elavon, I also discovered the exact same document for First Data.

The reason is because both firms operate with what’s often called a $0 contract. These are MSA (master service agreement) contracts with no commitment from the state. This allows the state a right to compete for new business if that becomes the case or if there is a need.

You can see all documents in this process by following the link on the vendor’s name. Krebs’ story focuses on Exhibit G, but all of the documents give a better overview of the relationship they have with the state.

5-10-99-01 (First Data)

5-10-99-02 (Elavon)

The contracts for both vendors expire May 31, 2015. They began on June 23, 2010.

In July, the year the contract started, the Department of General Services issued a memo stating that the MSA contracts for EPAY Services (electronic payments) were executed with Elavon and First Data, effective immediately.

“This MSA is designated as mandatory for State of California government entities that seek to acquire credit and debit card payment acceptance services. It is recommended that agencies contract for EPAY processing services from a single contractor.”

The Hash has contacted both First Data and Elavon for comment. This story will be updated when (or if) they respond.