UCR vulnerability may have exposed private information
A problem with the Unified Carrier Registration plan’s website may have exposed Social Security or Tax ID numbers for thousands of users. UCR indicated that the vulnerability existed between March 1st and March 28th, 2019. The information exposed includes 23,000 Social Security numbers.
After a bit of searching, I found the actual notice from UCR, which I am embedding below. The undated notice has a metadata creation data of October 21. It notes that once UCR became aware of the problem on March 28, they eliminated the vulnerability by removing the use of Tax ID numbers in the National Registration System. Their investigation also found that there was no indication of any mass exfiltration of data during the vulnerable period in March. The The exposure was limited to the exposure of a Tax ID number in the status bar of the web browser of the registration receipt.
There is no explanation of why there is such a long delay from March to October 21 to issue the notification disclosure, but UCR did report the incident to the Federal Motor Carrier Safety Administration (FMCSA), who then asked them to run the 30,000 entries during the vulnerable time period through FMCSA’s MCMIS
database to determine the number of registrants who may have provided a Social Security Number to the database as the Tax ID number. That analysis revealed that 23,000 individuals did use their SSN as their Tax ID. Those individuals have recently been sent notification letters offering them identity monitoring services.