A software company that provides services for insurance groups disclosed this week that about 27.7 million Texas driver’s license records were exposed in a data breach earlier this year.
The company, Vertafore, said in a statement posted on a website set up to address the breach that the data was exposed between March and August and affected licenses issued before February 2019.
Exposed data included driver’s license numbers, addresses, dates of birth and vehicle registration history, according to the company. The group said that no Social Security numbers or financial account information were compromised.
The breach happened after three files were accessed by an unauthorized user after the files were “inadvertently stored in an unsecured external storage service,” Vertafore said in its statement.
“Immediately upon becoming aware of the issue, Vertafore secured the potentially affected files and has been investigating the event and the extent to which data may have been impacted,” the company wrote.
The company noted that it has alerted the Texas Department of Motor Vehicles (DMV), the Texas Department of Public Safety (DPS), Texas Attorney General Ken Paxton (R) and federal law enforcement authorities.
The company said it had become aware of the breach in August, and had immediately hired a “leading intelligence firm” to determine if any of the exposed data had been stolen and misused.
While the firm did not find any evidence of this, Vertafore said that it is providing a year of free credit monitoring and identity restoration services to all Texas residents whose driver’s license data was exposed.
A spokesperson for the Texas DMV told The Hill that the Texas Attorney General’s Office had opened an investigation into the breach, but emphasized that none of the systems affected were Texas government networks.
“The breach of information was caused by Vertafore. The Texas Department of Motor Vehicles was not hacked and was not the cause of the breach,” the Texas DMV spokesperson said. “The Texas Department of Motor Vehicles takes protecting consumer information very seriously. The department classifies and protects data based on existing statutory regulations and industry principles, and retains and destroys all data in accordance with state and agency data retention and data sanitization policies.”
The Texas DPS similarly distanced state government systems from the breach.
“There has been no breach of the Texas Driver License System or any other DPS database,” the Texas DPS told The Hill in a statement. “The department is aware of the data event that occurred at Vertafore. The Texas Attorney General’s Office, DPS, Department of Motor Vehicles and U.S. federal law enforcement are all looking into the matter.”
Vertafore emphasized in disclosing the breach that it was taking steps to enhance employee cybersecurity and privacy training, reinforcing security procedures and policies, and further enhancing the security of its systems.
“These complex investigations take time,” Vertafore wrote. “We moved quickly and took care and time to be able to obtain and deliver accurate information. We sincerely regret any inconvenience this may cause.”
“Vertafore maintains a variety of information security policies, procedures, practices and controls,” the company added. “We continually monitor our network and systems for unusual activity. Unfortunately, Vertafore, like any other company, is not immune from this type of event.”