Forwarded From: blueskyat_private Posted at 02:10 a.m. PDT; Friday, September 4, 1998 Vehicle-license database compromised by Peter Lewis Seattle Times staff reporter A state database containing driver- and vehicle-license information is undergoing major surgery today while the Department of Licensing (DOL) struggles to close a security breach exposed by a Sunnyside online news site. "We'll take the hit on dealing with complaints because we need to safeguard the privacy of information," DOL spokesmanMark Varadian said yesterday. The database, known as VIPS (Vehicle/Vessel Information Processing System), normally operates 24 hours a day, seven days a week and houses information about registered vehicles, including owner addresses. It was taken down Wednesday afternoon after DOL learned that Larry Ashby, publisher of the online Yakima Valley News had posted on his Web site: http://www.yakvalnews.com/ what he thought were access codes to the system. Ashby acted after the state decided to terminate his access, Varadian said. DOL had determined that the account belonging to Northwest Publishing, the parent company of Yakima Valley News, no longer qualified for access under rigorous federal privacy standards that took effect last year governing driver information. Ashby yesterday defended his decision to post the information, contending that it's public record. In fact, what Ashby posted were some of the four-digit contract numbers belonging to the 2,100 customers with access to VIPS. He received those numbers by filing a public-records-disclosure request with DOL. By chance, some of the contract numbers matched access-code numbers of different customers. That coincidence caused DOL to shut down VIPS until computer experts can devise an "enhanced" security system. Varadian could not say how long that might take, or what it would cost. He also said state lawyers have preliminarily determined that Ashby probably didn't commit a crime by merely posting the information. But anyone who tries to hack into VIPS using the information could be prosecuted for criminal trespass. VIPS contains information on about 6 million registered drivers. It is an automated system used primarily by insurance companies and auto dealers who need to confirm information about vehicle ownership, makes and models, Varadian said. The user dials into the voice-based system from a touchtone phone, enters his account number and follows a series of prompts to retrieve information, which is conveyed by a computerized voice. While the system has been taken out of commission, users now must call during business hours to reach DOL staff, who will ask them for their business names to verify their accounts. Normally, VIPS gets about 1,200 hits a day, Varadian said. Last year, Oregon tightened up public access to driver and vehicle information after a computer consultant put 3 million motor-vehicle records on the Internet. Most Oregonians were angered after the consultant, who paid $222 for the list, posted the data to his Web site. More than 21,000 people are estimated to have visited the site. Washington's DOL does not sell its driver-information records, though it makes them available to selected businesses and investigators. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:11 PDT