Credit and debit card breaches are becoming commonplace among retailers lately, but the latest intrusion didn't occur on any department store's turf. Brian Krebs recently reported that the California Department of Motor Vehicles is investigating a credit card breach of five months' duration, involving transactions conducted online.
Krebs' site, KrebsonSecurity, referred to private notices sent to banks doing business in California by MasterCard (NYSE:MA), indicating that card numbers – including the supposedly sacrosanct three-digit security code on the back of the card – were stolen, as well as expiration dates.
The breach may have encompassed transactions completed online between Aug. 2, 2013 and Jan. 31, 2014. While there is no estimate on just how many accounts may have been compromised, the DMV noted that nearly 12 million persons completed online transactions with the department in 2012 – which was 6% higher than the number of transactions in 2011.
Details are sketchy
While the MasterCard notice seems to have gotten the ball rolling on this issue, there are few details coming to light. The California DMV posted a notice on its site shortly after it learned of the problem, saying that it had been alerted by law enforcement. The department noted that it is investigating the issue, and is in contact with credit card companies and its card processing vendor.
For its part, Elavon, the DMV's card vendor, said that it had no evidence of a breach of any kind. Elavon is a subsidiary of U.S. Bank.
Which banks did MasterCard notify of the possible breach? That is not known, either. It's a good bet, though, that banking partners with a large presence in California would be on the list, like Bank of America (NYSE: BAC). No doubt Wells Fargo (NYSE: WFC), headquartered in San Francisco, also was warned by MasterCard. Both banks were also heavily involved in last year's Target card breach, and were forced to replace an unspecified number of customer debit and credit cards that were at possible risk.
There's no reason to think that Visa (NYSE:V) cards were exempt, but the company did not send out an alert of its own. A spokesperson from the payments firm would only say that the company doesn't comment on "potential third party data compromises."
A new target?
Although California is a favored target of hackers due to the perception of high levels of wealth inhabiting the state, a DMV hack could conceivably happen anywhere in the U.S. While consumers can at least opt to pay cash at retailers to avoid security issues, the same cannot be said for online transactions, where many fewer options for payment are available. As for DMV business, well, no one is apt to stop driving in order to protect their personal information.
What can people do to protect themselves? Krebs has some expert advice. Place a fraud alert on your credit file every 90 days with one of the three major entities, which, in turn, must notify the other two. In addition to alerting either Experian, Equifax, or Trans Union, alert Innovis, as well. Renew the alert every 90 days, the time frame allowed by law. Considering how prevalent data breaches are these days, this slight inconvenience could be the simplest way to protect your data from hackers.