Data breach warning after California DMV contractor hit by file-stealing ransomware

California’s Department of Motor Vehicles is warning of a potential data breach after a contractor was hit by ransomware.

The Seattle-based Automatic Funds Transfer Services (AFTS), which the DMV said it has used for verifying changes of address with the national database since 2019, was hit by an unspecified strain of ransomware earlier this month.

In a statement sent by email, the DMV said that the attack may have compromised “the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers.” But the DMV said AFTS does not have access to customers’ Social Security numbers, dates of birth, voter registration, immigration status or driver’s license information, and was not compromised.

The DMV said it has since stopped all data transfers to AFTS and has since initiated an emergency contract to prevent any downtime.

AFTS is used across the United States to process payments, invoices and verify addresses. Several municipalities have already confirmed that they are affected by the data breach, suggesting it may not be limited to California’s DMV.

Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft, told TechCrunch that the Cuba ransomware group was likely to blame for the attack. TechCrunch can confirm that a dark web site known to be used by the Cuba ransomware group listed AFTS as a victim, claiming the group stole “financial documents, correspondence with bank employees, account movements, balance sheets [and] tax documents.”

The Cuba ransomware leak site, claiming it hacked and stole internal financial and tax data from AFTS. (Screenshot: TechCrunch)

Ransomware typically encrypts a company’s files and will unlock them in exchange for a ransom. But since many companies have backups, some ransomware groups steal sensitive internal data and threaten to publish the stolen files online unless the ransom is paid.

“Cuba is a data-exfiltrating ransomware group that we first noticed in December 2019,” Callow told TechCrunch. “They may, however, have been operating prior to that as some of the data they claim that some of the data they have published was stolen the month prior. The ransomware is secure, meaning data encrypted it cannot be recovered unless the ransom is paid. While most groups simply publish stolen data, Cuba attempts to sell it in some cases. Whether they have been successful in this, however, is not clear.”

Callow said his company’s own data shows more than 1,300 public and private sector organizations had data published on leak sites during 2020. “Many others will have paid to prevent it being published,” he said. “It’s a huge problem, and it’s a problem that will likely only get worse unless decisive action is taken.”

TechCrunch contacted the Cuba ransomware group but has not yet heard back.

AFTS could not be immediately reached for comment. Its website remains offline, with a short message: “The website for AFTS and all related payment processing website [sic] are unavailable due to technical issues. We are working on restoring them as quickly as possible.”

California DMV’s director Steve Gordon said: “We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with.”

Last year it was reported that California’s DMV makes more than $50 million a year by selling drivers’ personal information, including to bondsmen and private investigators.

California has more than 35 million registered vehicles.

Updated on February 19 with new information from Emsisoft regarding the Cuba ransomware.