[ISN] Vehicle-license database compromised

From: mea culpa (jerichoat_private)
Date: Fri Sep 04 1998 - 08:54:39 PDT

  • Next message: mea culpa: "[ISN] Phantom pornography disrupts British Lords' Web site"

    Forwarded From: blueskyat_private
    
    Posted at 02:10 a.m. PDT; Friday, September 4, 1998 
    
    Vehicle-license database compromised 
    
    by Peter Lewis 
    Seattle Times staff reporter 
    
    A state database containing driver- and vehicle-license information is
    undergoing major surgery today while the Department of Licensing (DOL)
    struggles to close a security breach exposed by a Sunnyside online news
    site.
    
    "We'll take the hit on dealing with complaints because we need to
    safeguard the privacy of information," DOL spokesmanMark Varadian said
    yesterday.
    
    The database, known as VIPS (Vehicle/Vessel Information Processing
    System), normally operates 24 hours a day, seven days a week and houses
    information about registered vehicles, including owner addresses. It was
    taken down Wednesday afternoon after DOL learned that Larry Ashby,
    publisher of the online Yakima Valley News had posted on his Web site:
    http://www.yakvalnews.com/ what he thought were access codes to the
    system.
    
    Ashby acted after the state decided to terminate his access, Varadian
    said. DOL had determined that the account belonging to Northwest
    Publishing, the parent company of Yakima Valley News, no longer qualified
    for access under rigorous federal privacy standards that took effect last
    year governing driver information.
    
    Ashby yesterday defended his decision to post the information, contending
    that it's public record. 
    
    In fact, what Ashby posted were some of the four-digit contract numbers
    belonging to the 2,100 customers with access to VIPS. He received those
    numbers by filing a public-records-disclosure request with DOL.
    
    By chance, some of the contract numbers matched access-code numbers of
    different customers. That coincidence caused DOL to shut down VIPS until
    computer experts can devise an "enhanced"  security system.
    
    Varadian could not say how long that might take, or what it would cost.
    
    He also said state lawyers have preliminarily determined that Ashby
    probably didn't commit a crime by merely posting the information. But
    anyone who tries to hack into VIPS using the information could be
    prosecuted for criminal trespass.
    
    VIPS contains information on about 6 million registered drivers. It is an
    automated system used primarily by insurance companies and auto dealers
    who need to confirm information about vehicle ownership, makes and models,
    Varadian said.
    
    The user dials into the voice-based system from a touchtone phone, enters
    his account number and follows a series of prompts to retrieve
    information, which is conveyed by a computerized voice.
    
    While the system has been taken out of commission, users now must call
    during business hours to reach DOL staff, who will ask them for their
    business names to verify their accounts. Normally, VIPS gets about 1,200
    hits a day, Varadian said.
    
    Last year, Oregon tightened up public access to driver and vehicle
    information after a computer consultant put 3 million motor-vehicle
    records on the Internet. Most Oregonians were angered after the
    consultant, who paid $222 for the list, posted the data to his Web site. 
    More than 21,000 people are estimated to have visited the site.
    
    Washington's DOL does not sell its driver-information records, though it
    makes them available to selected businesses and investigators. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:11 PDT