Millions of drivers’ registration records may have been exposed following a security breach involving a contractor for California’s Department of Motor Vehicles (DMV).

Automatic Funds Transfer Services (AFTS) of Seattle, which the department uses to verify vehicle registration addresses, was the victim of a ransomware attack early February.

As a result, data provided to AFTS by the DMV may have compromised, including the past 20 months of the state’s vehicle registration records containing names, addresses, licence plate numbers and vehicle identification numbers, the department said.

“Approximately 38 million records have potentially been compromised,” the SFGATE news website quoted a DMV spokeswoman as saying. The number of people possibly affected is less because many drivers own more than one vehicle.

The department said it is unknown if DMV data shared with AFTS has been compromised. An investigation is under way.

The department has stopped all information transfers to AFTS and notified law enforcement, including the Federal Bureau of Investigation (FBI).

“Data privacy is a top priority for the DMV,” said its director Steve Gordon. “We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with.”

The department is now using a different address verification company to maintain customer service, and is reviewing processes with AFTS to determine further security enhancements to prevent future breaches.

The DMV has contracted AFTS since 2019 to cross reference addresses with the national database, which is updated when someone files a change of address with the national postal service, to ensure vehicle registration renewal notices are mailed to a driver’s current address. 

“While the DMV investigations branch has no indication at this time that information accessed by the ransomware attack on AFTS has been used by the attackers for any nefarious reason, the DMV urges customers to report any suspect activity to law enforcement,” it said.

The department also stated AFTS has no access to drivers’ social security numbers, birthdates, voter registration, immigration status or driver’s licence information, so that data was not compromised.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox