Over the weekend the Hash reported on a story published by Brian Krebs, and continued to chase open threads, resulting in new information. Here's a re-cap of the story, including additional commentary in order to address a reader's questions.\t[The original story and updates can be viewed here.]\tJournalist Brian Krebs broke the story Saturday, based on information he received from MasterCard regarding a CNP (card-not-present) breach. The common thread between the cards that were flagged was the California Department of Motor Vehicles (DMV). Krebs contacted several banks; all of them confirmed the link and the warning from MasterCard.\tSpeaking to the Hash, law enforcement officials have said that American Express cards were also potentially compromised, and Visa told Krebs they are aware of the issue, but as of Friday, had not issued an advisory on the matter.\tMoreover, law enforcement officials have told the Hash that as of Noon last Friday, the US Secret Service has become involved with the matter. Attempts to contact the agency for comment have been unsuccessful.\tAccording to the MasterCard alert:\t\t\t"...the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards."The California DMV speaks out...\tThe California DMV was contacted by law enforcement on Friday and told of a potential security incident with their credit card payment processor. In a statement to the Hash, the California DMV noted that there was no evidence of a direct breach of their systems.\tFrom their statement:\t\t\t"However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement."\t\t\t"In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV\u2019s credit card transactions and the credit card companies themselves."\tThe Hash discovered that both firms operate with what's often called a $0 (zero-dollar) contract. These are MSA (master service agreement) contracts with no commitment from the state.\tSuch a thing means that various state agencies can select whom they wish to work with, and keep the right to compete for new business if the need arises. The MSA contracts started in 2010, and they expire in 2015.\tFirst Data Contract \/ Elavon Contract\tIn a statement to the Hash, Tom Joyce, a spokesman for US Bancorp (Elavon is one of their business units), said:\t\t\t"At this time, there is NO confirmation of a data breach at the California DMV. We are in touch with the CA-DMV and the authorities to determine if there has been any issue."\tFurther, First Data confirmed the MSA contract, but said they are not the processor for the California DMV.\tThus, the processor mentioned by the California DMV is Elavon, who isn't confirming the breach reports from MasterCard, but they're not denying them either.\tThe California says that 24 million drivers are registered in their system. Last year, more than 8 million people registered a vehicle or renewed a license using the Web, those with credit cards would see the transaction listed as a CNP by their bank.\tThis story will be updated when new information is available.\tOn Twitter, one reader asked:\t\t\t"Riddle me this - If a payment processor was breached, why are only Cali DMV cards affected?"\tIn California, the only way to pay for services with a credit card is to do so online, as branch locations in the state only accept cash, checks, or debit cards. In the MasterCard alert, the banks were told of the CNP breach, and given a list of cards that were impacted.\tCNP (card-not-present) transactions are usually online or over the phone. The common purchase between each of the impacted credit cards was the California DMV, which could only have happened online.\tSo the answer to the question is in the business model of payment processing.\tMost merchant accounts (what allows a business to take credit cards) are only for a single merchant. If Elavon is the processor for the DMV and say the California Highway Patrol, those are two separate merchant accounts. A breach at the DMV wouldn't impact the CHP and vice versa.\tIt is entirely possible that the breach extends beyond the DMV, but there is no proof that it has. So far, the only cards potentially compromised are those that were used online for DMV transactions in the six-months flagged by MasterCard.\tThe reader responded:\t\t\t"I just find it very hard to believe that processor would be the source of the breach. The DMV SEEMS [like] a far easier \/ softer target."\tThis is actually correct in my opinion. The DMV would be the softer target. Government agencies like the DMV (not just in California, but everywhere), try to keep up with security, but often fall behind when it comes to defending against current threats.\tThat's a nice way of saying security at the state government level is just awful, and those charged with protecting the network are often buried in red tape; stripped of any real power to act and do their jobs. It's politics at its best. If not for the law enforcement warning, it's likely the DMV might have never known about the incident.\tSo yes, the DMV is the softer target, but why an attacker would target the processor instead depends on a number of things. It's possible that a socially-engineered attack gave the attackers better access to the processor. Or, perhaps a flaw somewhere in the processor's infrastructure was exploited remotely. The same thoughts apply if the DMV was in fact the source of the breach.\tIn any event, the only way to know for sure would be to know the IOCs (indicators of compromise) that alerted the investigators. For their part, MasterCard would have been told by law enforcement, which would confirm their own internal fraud detection programs.\tSo something tipped the investigators off, and that something could be the key to learning why the attackers picked one target over another. At this stage, no one knows but the investigators themselves, and that isn't likely to change any time soon.