A bizarre tale of revenge after a road rage incident has inadvertently exposed a data breach of personal information at the Department of Motor Vehicles in Utah.
FOX13 News reports:
Investigators are accusing a former employee at the DMV of taking people’s information and passing it to others, who would then go out and commit crimes. But state officials acknowledge they may have no way of knowing how widespread the problem is.
The investigation began last year with Salt Lake City firefighters, who were looking into a suspicious car fire in a Rose Park neighborhood. Lexie Atencio said she accidentally cut off a woman driving a pickup down her street, which quickly escalated into a road rage incident.
“I almost hit this woman and caused an accident,” Atencio said in an interview Wednesday with FOX 13. “She took it to a whole other level and decided to have someone come and torch my car.”
Atencio said she awoke in the middle of the night to find her car had been burned outside her home. A neighbor provided a description of a car seen nearby, matching the one involved in the road rage incident earlier, she said.
Upon learning that a woman involved in the fire worked at the DMV, fire department investigators questioned her and were surprised to learn that the woman was involved in more than they’d realized.
“This individual shared with us some information that, in all honesty, we weren’t even expecting to get,” [Salt Lake City Fire Marshal] Ellis told FOX 13.
A search warrant recently unsealed and obtained by FOX 13 News states that after being given her Miranda rights, the woman “admitted to using her computer access, as an employee of the Utah State Division of Motor Vehicles to illegally acquire personal information about private citizens.”
“She admitted to then disseminating that information to specific individuals for the sole purpose and with the understanding the information would be used to commit crimes against the unsuspecting private citizen,” a fire investigator wrote in an affidavit filed with the warrant.
“I believe she stated she’s been doing it for 14 years,” Ellis said.
The data that was improperly accessed allegedly includes names, addresses and the make, model and vehicle identification number. The DMV employee involved is no longer employed there; to be clear, she has not been arrested or charged with any wrongdoing at this time. Authorities are currently investigating and have requested an internal audit of the DMV system to aid in that investigation.
Putting aside all the typical cynical DMV stereotypes for a moment, what struck me about this story is the lack of technical oversight in such an agency, and how it might apply to broader situations.
To start, the DMV employee told investigators she’d been doing this for 14 years. How could that go on for so long unnoticed?
The DMV in Utah is overseen by the Utah State Tax Commission. That agency said “it is hard to know how widespread the data breach is.” A spokesman for the DMV told reporters that the current software makes it “difficult to verify who’s looked at what and when.” It stated that it does however train its employees thoroughly about the importance of confidentiality and warns against the release of any personal information, adding that employees sign agreements to that effect.
But how much of a deterrent is this if employee actions like these cannot even be tracked at such a level in the system? In this particular instance, the revelation of the DMV employee’s alleged abuse of access to personal data was an all but accidental discovery.
I don’t know for certain that the Utah DMV is a state government agency, I assume it is. Even if it is privatized, it is an agency overseen by the state government to collect government mandated personal data. So I am viewing this regardless as a government responsibility to protect the information of private citizens as best it possibly can. This case does not instill much confidence in that for me.
With the recent scandals occurring in other government agencies on a much broader scale, it’s hard not to look at this case and wonder how well (or how poorly) agency employees’ access to and use of private citizens’ personal data is monitored and tracked for potential abuse.