The California DMV has confirmed that there was no breach of its systems. A breach had originally been reported in March by Brian Krebs, but the DMV quickly denied it was their breach, leading Krebs to suggest that it was at their payment processor, Elavon, who also denied any breach.
Today, Jeanne Price of idRADAR.com reports that the DMV has concluded their investigation and reiterates that there is no evidence of any breach in their system. But was their a breach somewhere else that would account for the initial reports? Price reports that the DMV’s payment processor, Elavon, did not respond to a request for comment. And she aptly captures the confusion surrounding the situation:
To sum up the state’s position: no internal compromise, no external one. Most readers would interpret those two separate statements to indicate that no breach occurred at any level that involved online DMV business. That would mean that MasterCard, local banks, federal law enforcement and journalists were incorrect in believing a breach had occurred, That is of course a possibility but that collection of experts is not known for jumping to conclusions without some evidence.
The processing service DMV uses was unnamed in March and remains unnamed in any DMV publications it is Evalon, a Georgia-based card processer wholly owned by US Bankcorp. Evalon’s contract with the state began in June 2010 and idRADAR News confirmed that the contract continues today. Clearly a breach at Evalon could have impacted customers far beyond the borders of California as the company handles over 3 billion transactions annually.
DMV breach speculation has been reported on frequently in recent months as if it were fact. The unconfirmed incident recently landed on an ‘8 Infamous Data Breaches of The Past Year’ list. However neither DMV nor Evalon has filed a data breach notification with the California Attorney General’s Office as of June 24. Such notice is required whenever a breach involved more than 500 state residents.