Forwarded From: bluesky@rcia.com
Posted at 02:10 a.m. PDT; Friday, September 4, 1998
Vehicle-license database compromised
by Peter Lewis
Seattle Times staff reporter
A state database containing driver- and vehicle-license information is
undergoing major surgery today while the Department of Licensing (DOL)
struggles to close a security breach exposed by a Sunnyside online news
site.
"We'll take the hit on dealing with complaints because we need to
safeguard the privacy of information," DOL spokesmanMark Varadian said
yesterday.
The database, known as VIPS (Vehicle/Vessel Information Processing
System), normally operates 24 hours a day, seven days a week and houses
information about registered vehicles, including owner addresses. It was
taken down Wednesday afternoon after DOL learned that Larry Ashby,
publisher of the online Yakima Valley News had posted on his Web site:
http://www.yakvalnews.com/ what he thought were access codes to the
system.
Ashby acted after the state decided to terminate his access, Varadian
said. DOL had determined that the account belonging to Northwest
Publishing, the parent company of Yakima Valley News, no longer qualified
for access under rigorous federal privacy standards that took effect last
year governing driver information.
Ashby yesterday defended his decision to post the information, contending
that it's public record.
In fact, what Ashby posted were some of the four-digit contract numbers
belonging to the 2,100 customers with access to VIPS. He received those
numbers by filing a public-records-disclosure request with DOL.
By chance, some of the contract numbers matched access-code numbers of
different customers. That coincidence caused DOL to shut down VIPS until
computer experts can devise an "enhanced" security system.
Varadian could not say how long that might take, or what it would cost.
He also said state lawyers have preliminarily determined that Ashby
probably didn't commit a crime by merely posting the information. But
anyone who tries to hack into VIPS using the information could be
prosecuted for criminal trespass.
VIPS contains information on about 6 million registered drivers. It is an
automated system used primarily by insurance companies and auto dealers
who need to confirm information about vehicle ownership, makes and models,
Varadian said.
The user dials into the voice-based system from a touchtone phone, enters
his account number and follows a series of prompts to retrieve
information, which is conveyed by a computerized voice.
While the system has been taken out of commission, users now must call
during business hours to reach DOL staff, who will ask them for their
business names to verify their accounts. Normally, VIPS gets about 1,200
hits a day, Varadian said.
Last year, Oregon tightened up public access to driver and vehicle
information after a computer consultant put 3 million motor-vehicle
records on the Internet. Most Oregonians were angered after the
consultant, who paid $222 for the list, posted the data to his Web site.
More than 21,000 people are estimated to have visited the site.
Washington's DOL does not sell its driver-information records, though it
makes them available to selected businesses and investigators.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri Sep 4 13:28:31 1998