California DMV might be the latest victim to a major credit card data breach. MasterCard notified some banks that an online breach has taken place, and fingers are pointing to DMV. DMV responded by stating that there is no evidence of any breach. However, as a precautionary measure they have launched an investigation, and forensic review, looking into their system, and that of its credit card processing vendor. Although DMV did not mention the processor by name, a few sources indicate that it’s Elavon.
Who is to Blame
Right now, it’s too early to say if there was any breach, and who is to blame. Just because Mastercard or Discover reaches out to a merchant about a potential breach, doesn’t mean there is a breach. Sometimes it’s just a coincidence. If there was a breach, it would most likely be with the credit card processor, not DMV. DMV probably outsources the management and maintenance of all its corporate applications, on the backend and fronted. By the looks of it, IBM is managing most of DMV’s systems. And it’s highly unlikely that a breach occurs under IBMs watch, especially when they are responsible for maintaining the applications.
There are a few takeaways from this incident. First, every city, state and federal agency that processes online transactions is at risk of a credit card breach. If you count DMV, Water and Power, US Traffic Courts, and all other agencies located in most cities in America, we are probably talking about thousands of entities that are at risk. That leads to the question, how can a online business protect itself from credit card data breach, malware, DDoS, APTs, Zero-day and all other threats. That’s a discussion for the next post. Snapshot of DMV Breach