10 Worst States for DMV and DOT Data Breaches [2020 Study]
In the worst states for DMV and DOT data breaches, your personal data may not be safe even at government-funded organizations. Over the last 15 years, data breaches at DMV and DOT locations have affected 235,207 individuals. Some of the information that can be stolen through a security breach at a state DMV or DOT office includes Social Security numbers, birth certificates, home addresses, vehicle registration numbers, and other sensitive information.
UPDATED: Dec 2, 2020
It’s all about you. We want to help you make the right coverage choices.
Advertiser Disclosure: We strive to help you make confident auto insurance decisions. Comparison shopping should be easy. We are not affiliated with any one auto insurance provider and cannot guarantee quotes from any single provider. Our partnerships don’t influence our content. Our opinions are our own. To compare quotes from many different companies please enter your ZIP code on this page to use the free quote tool. The more quotes you compare, the more chances to save.
Editorial Guidelines: We are a free online resource for anyone interested in learning more about auto insurance. Our goal is to be an objective, third-party resource for everything auto insurance related. We update our site regularly, and all content is reviewed by auto insurance experts.
- DMV and DOT data breaches are not common, but they expose sensitive information like SSNs and addresses
- The worst states for DMV and DOT data breaches affected 235,207 drivers in the last 15 years
- Some DMVs and DOTs sell drivers’ information to third parties, putting drivers’ information at even more risk
If you’ve ever been the victim of data theft, such as a stolen credit card number or a virus accidentally downloaded onto your laptop, then you know how much time, energy, and money these incidents can cost you.
While you might expect your data to be safe at a government institution like the Department of Motor Vehicles (DMV) or the Department of Transportation (DOT), the truth is that anywhere your information is stored, there is always the risk of data theft.
And if you live in one of the worst states for DMV and DOT data breaches and attacks, your personal data may be even more at risk than you thought. DMVs and DOTs store a wide variety of drivers’ data, from Social Security numbers to email addresses.
Some of the more basic information, like your email address and phone number, may even be sold to third parties who have contracts with the DMV or DOT in your state.
This puts your personal data at even more risk, as somebody could breach these third parties. So instead of wondering which states have the cheapest auto insurance rates, you should be wondering which states put your information most at risk.
To help drivers understand the risks they may face from data breaches at DMVs and DOTs, we’ve compiled a list of the top 10 worst states for data breaches over the last 15 years. While DMV and DOT breaches and attacks are not overly common, they do happen and put thousands of customers’ personal data at risk.
In addition to our data breaches list of the worst attacks and breaches by state, we will also go over the following:
- Recent data attacks in the news
- What to do if your data is stolen
So read on to find out more about the consequences of DMV and DOT data breaches and attacks and what you can do to keep your information safe.
10 Worst States for DMV and DOT Data Breaches
To find the 10 worst states for DMV and DOT data breaches, our researchers looked at the data breach report from the Identity Theft Resource Center (ITRC) and pulled data from the last 15 years (since 2005) to determine which states had the most individuals affected by DMV and DOT data breaches.
|Rank||State||Individuals Impacted||Breaches in 15 years|
The data breaches over the last 15 years are worrisome. Even just one data breach at a state DMV can affect thousands of individuals. Generally, the larger the state, the more information there will be stored on drivers, meaning attackers can get more data in breaches at DMV and DOT locations.
To show you how often DMV and DOT data breaches happen, we’ve put together 15 years of data from the ITRC in the graphic below.
As you can see on the graphic, the number of breaches has gone down slightly over the years. This could be due to increased security and better technology as companies learn from the past breaches.
Stick with us to learn more about the DMV and DOT data breaches in the top 10 states.
#10 – New York
- Department Breached: New York Department of Motor Vehicles
- Individuals Impacted: 200
- Years of Breaches: 2010 and 2018
In 2010, the New York DMV was breached, affecting a total of 200 individuals. Government breaches are rarer than most. According to the New York State Attorney General’s report on breaches from 2006 to 2013, the total government agency breaches equaled 14.
There was a total of 241 breaches in New York, which means government breaches only made up roughly 6 percent of all breaches.
However, even though this is a small percentage of overall data breaches, government breaches are serious.
Even though 200 is a small number of overall drivers in New York, the New York DMV stores sensitive information, so even small data leaks can be devastating for those who have New York registered cars and New York auto insurance.
#9 – Tennessee
- Department Breached: Tennessee Department of Transportation
- Individuals Impacted: 500
- Year of Breach: 2007
Tennessee earns the 9th spot, as the Tennessee DOT had a 2007 breach that affected an estimated 500 individuals.
Unfortunately, the Tennessee DOT doesn’t keep a record of data breaches, so the exact nature of the breach at the Tennessee DOT is unknown. However, we do know that according to the Federal Bureau of Investigation (FBI), in 2007, Tennessee received 3,147 complaints of fraud from Tennessee residents and businesses.
Because this is a lower number compared to most states, Tennessee ranks near the bottom for the worst data breaches in the United States. This means that even a small data breach that affects 500 people is significant in the state of Tennessee.
#8 – Hawaii
- Department Breached: Hawaii Department of Transportation
- Individuals Impacted: 1,892
- Year of Breach: 2009
The Hawaii DOT had a breach in 2009 that impacted 1,892 individuals. This is a significant number of people’s information breached in Hawaii. Why?
According to the Department of Commerce and Consumer Affairs (HI DCCA) in Hawaii, in 2009, there were a total of 5,820 people affected by security breaches.
This means that 32 percent of the people affected were caused by the breach at Hawaii DOT. This is a high percentage for a DOT breach.
#7 – California
- Department Breached: California Department of Motor Vehicles
- Individuals Impacted: 3,200
- Years of Breaches: 2014, 2015, and 2019
In 2019, the California DMV suffered a breach when the Social Security numbers of roughly 3,200 individuals were accidentally exposed. According to a CNN article about the breach, the SSNs were exposed through a Government Requester Code Account Program.
It is unknown who accessed the SSNs during the four-year period the SSNs were accessible on the program, although CNN reports that the DMV says the SSNs weren’t available to anyone outside the government.
Since the California DMV data breach, the DMV has stated it’s added extra security levels to ensure the leak of SSNs doesn’t happen again.
#6 – Indiana
- Department Breached: Department of Transportation
- Individuals Impacted: 4,000
- Year of Breach: 2007
In 2007, an estimated 4,000 individuals were impacted by a breach at the DOT in Indiana. The DOT does not have old records available, so it is unknown exactly what data was leaked in the 2007 incident.
However, according to the FBI, in 2007, Indiana actually ranked 23rd in the country, as its number of complaints was over 55 per 100,000 people. This means that Indiana is right in the middle of the pack for data theft complaints in 2007.
#5 – Massachusetts
- Department Breached: Massachusetts Department of Transportation’s Registry of Motor Vehicles
- Individuals Impacted: 7,202
- Year of Breach: 2019
In 2019, the Massachusetts DOT suffered a breach in its registry of motor vehicles that affected 7,202 individuals. How?
According to a copy of the Massachusetts DOT’s notice posted by the Office of the Vermont Attorney General, one of the Massachusetts DOT’s vendors incorrectly disclosed customer’s names and license numbers.
While the Massachusetts DOT stated they weren’t aware of any misuse of the information by their vendor, they did have to offer to replace any license plates for free for the 7,202 individuals who had their information released.
#4 – Nevada
- Department Breached: Nevada Department of Motor Vehicles
- Individuals Impacted: 8,800
- Years of Breaches: 2005 and 2016
Back in 2005, the Nevada DMV had a breach that affected 8,800 individuals’ data. Large breaches at companies in Nevada are not uncommon.
According to the FBI, in 2005 Nevada ranked first for the number of perpetrators of data theft, which was over 26 for every 100,000 people.
With such a large number of data breaches and internet fraud complaints in 2005, it is no wonder that the Nevada DMV was also a target of data theft and breaches.
#3 – Pennsylvania
- Department Breached: Pennsylvania Department of Transportation
- Individuals Impacted: 11,400
- Year of Breach: 2006
In 2006, the Pennsylvania DOT had a data breach that impacted 11,400 individuals. This is a high number of people who had data exposed at the Pennsylvania DOT.
According to the FBI, in 2006, the number of internet crime complaints in Pennsylvania accounted for 4 percent of all complaints in the United States, which ranks Pennsylvania near the upper-middle in the country for internet crime complaints.
#2 – North Carolina
- Departments Breached: North Carolina Department of Transportation and Department of Motor Vehicles
- Individuals Impacted: 65,013
- Years of Breaches: 2006, 2007, 2009, and 2017
North Carolina has suffered a number of breaches over the last 15 years, the total impact equaling 65,013 individuals who had their information incorrectly released. All of the following breaches occurred at North Carolina DMV and DOT locations.
- 2006 Breach: 16,000 individuals affected
- 2007 Breach: 25,000 individuals affected
- 2009 Breach: 13 individuals affected
- 2017 Breach: 24,000 individuals affected
A total of four breaches over the last 15 years is the highest number out of any state. The 2007 breach affected the most people.
According to a WRAL news report on the breach, the security breach was the names and SSNs of DOT employees and contractors. All individuals affected by the breach were advised to freeze their credit.
#1 – Florida
- Department Breached: U.S. Department of Transportation
- Individuals Impacted: 133,000
- Year of Breach: 2006
Florida tops our list as number one of the worst DOT breach. In 2006, the U.S. DOT in Florida was breached, impacting 133,000 individuals. How? A laptop was stolen from a government vehicle.
According to the news report on the theft by the Sun Sentinal, the laptop contained the following sensitive information of 133,000 Floridians in a database:
- Social Security numbers
- Birth dates
The number of people put at risk from this data theft in Florida is the highest in the last 15 years of DMV and DOT data breaches, which is why it earns the No. 1 spot on our list.
How Data is Stolen From the DMV and DOT
Data can be stolen or leaked from government institutions the same as any company or individual. While the government has more safeguards to guard information than a regular citizen, this doesn’t mean that data is 100 percent safe at a government institution.
So how is data usually stolen or accidentally leaked? Take a look at the graphic below to see the most common ways data is stolen or leaked.
While some data breaches can occur due to physical theft, most do occur from cyber attacks like ransomware and viruses.
According to the FBI’s 2019 report, phishing had the highest number of cybercrimes in the United States. A total of 114,702 people fell victim to phishing in 2019.
The cost of cybercrime in 2019? $3.5 billion. Not only is there the money stolen from victims, but the government has to invest in fighting cybercrime, replacing stolen documents, and investigating cybercrime. All of this can get expensive very fast.
At the DMV and DOT, the data stolen can also be sold for a hefty price, as there are Social Security numbers, birth certificates, and more stored at the DMV and DOT. Take a look at the graphic below to see what kinds of personal information may be at risk in a data breach or attack.
Any time your information is stored somewhere, it is at risk. Luckily, DMVs and DOTs that have been the victims of data breaches usually take steps to ensure the same thing doesn’t happen again, whether it is a computer breach or unshredded documents.
Recent Data Breach in the News
What companies have been hacked in 2020? If you live in Texas, then you have likely heard of the 2020 data breach at the Texas Department of Motor Vehicles.
According to FOX News in Houston, almost 28 million Texas drivers had data stolen that contained their driver’s license numbers, addresses, names, birthdates, personal addresses, and vehicle registration.
How did this happen? Most people are not aware that DMVs and DOTs make a great deal of their annual profit by selling drivers’ data to third parties.
While you’d expect your information to be accessed by police officers and insurance companies to make sure you aren’t driving without insurance, the DMV and DOT may also sell your information to towing companies, private investigators, advertising firms, marketers, security companies, and many more.
With the Texas DMV, the data leak was through a third-party insurance software company. The tool that the insurance software company used to store the DMV information was hacked, putting the 28 million Texas drivers at risk.
Bottom line? Any time a DMV or DOT sells your information to a third party, the risk of your information being leaked or stolen increases. Unfortunately, there are currently a number of loopholes in the privacy laws in states that allow the DMV and DOT to continue selling information to third parties.
Interviews with Lawyers and Privacy Experts
Want more information on data breaches? We’ve collected advice from experienced lawyers and privacy experts, so read on to see what the experts have to say about the risks of data breaches and what can be done to prevent data breaches from happening.
What are the most common ways criminals breach data at government corporations like the DMV and DOT?
“Inside jobs. Employees who have access to the information are the most likely culprit when it comes to either stealing that information for their own personal gain or mistakingly exposing it by introducing malware into the system.”
What’s the worst that could happen from someone getting a person’s personal information from the DMV or DOT?
“All of the above I listed, including criminal identity theft and new account fraud. When a driver’s license is compromised, that is the most effective way to actually ‘be’ someone.”
What practical steps should drivers follow if their data is stolen?
“There’s no such thing as ‘freeze credit cards.’ There is something called a ‘credit freeze’ also known as a security freeze. And there is also no such thing as getting a new Social Security number. If that is even available, it is only available to victims of domestic violence.
A credit freeze is a tool offered by the three credit bureaus for free. Simply go online to TransUnion, Equifax, and Experian, and within their website search the terms either credit freeze or security freeze. There is no cost to freeze or unfreeze a person’s credit. A credit freeze is basically a lock on a person’s credit, giving them control of when a lender can see their credit scores.
Once a person freezes their credit, a lender who goes to check that person’s credit would not see that person’s credit scores, therefore the lender wouldn’t know what their risk level is. And as a result, the lender is unlikely to grant credit.
A credit freeze coupled with identity theft protection services are a multi-layer approach to mitigate and in some cases prevent fraud. Keep in mind that neither a credit freeze nor identity theft protection services can prevent all forms of identity theft.
Is a fraud alert the same as a credit freeze? No, they are not the same. A fraud alert lasts for one year, but scammers can still access credit files and apply for new credit.
While a creditor might know you had your ID stolen, creditors can still issue credit. The only thing a fraud alert does is notify lenders that something might be wrong with your credit.
In comparison, a credit freeze protects your credit. When ID thieves access Social Security numbers, they can also apply for credit in your name. However, if the credit file is frozen, thieves cannot access it, as freezing your credit makes the files not accessible.
In order to gain access to your frozen credit, such as when you want to apply for a credit line, you will have to unfreeze it by using a PIN given to you by the credit bureau.
Keep in mind that freezing a credit report does not affect the lines of credit that you have already open, and the freezing process is free for those who are ID theft victims.
However, anyone can pay a small fee to TransUnion, Experian, and Equifax, the three main credit reporting bureaus, to freeze their credit. What exactly does a freeze do? Credit freezes protect you from new account fraud. A freeze also prevents criminals from opening up new lines of credit or new accounts that require a credit check.
Had your identity stolen? You should consider freezing your credit. If you have a Social Security number, you are a target, so you can make your SSN and credit useless to thieves. Even if thieves get it, they cannot use it to open a new account with your name.
Before doing a credit freeze, you don’t have to know too much and can just do it. Your credit will be frozen on all credit applications. It is not inconvenient to freeze your credit, as it only takes a few minutes to freeze and unfreeze your credit file. Of course, you must unfreeze your credit before you can apply for new credit.
While this means that you have to take a little time to let the thaw pass, it usually takes only a couple of minutes. A thaw makes the credit freeze more secure and helps keep you safe, and credit freeze doesn’t hurt your credit in any way. In addition, if you have an existing creditor, they can still do ‘soft’ checks on your credit report. You can freeze your credit here:
So what does a freeze not do? It doesn’t protect you from credit card fraud or a bank account takeover. If you lose your wallet, a freeze won’t help you, as it doesn’t protect you from tax-related identity theft, Social Security fraud, and many other forms of account take over. Again, a freeze’s main purpose is to prevent ‘new account fraud.’
Do you need identity theft protection if you have a freeze? Security is all about ‘layers of protection,’ and a freeze only protects you from certain things. On the other hand, identity theft protection will mitigate other forms of fraud.
Identity theft protection services don’t protect you from things like tax-related identity theft or even medical-related fraud, but the identity theft protection ‘fraud resolution experts’ and the insurance that comes with identity theft protection services will help victims fix those forms of fraud.”
Robert Siciliano is a cyber social identity protection instructor at ProtectNow.
ProtectNow specializes in security awareness, threat prevention, and fraud protection.
“Well, the worst thing that can happen from someone getting a person’s personal information from the DMV or DOT is murder.
An example of this was the death of Rebecca Schaeffer in 1989, when a fan tracked her down and shot her in her home.
As a result, the Driver’s Privacy Protection Act was passed in 1994 to prevent it from happening again. Unfortunately, this law has a lot of exceptions, such as what information can be shared and who it is shared to.
Some states handle your information differently, but some examples of who might be able to get hold of your information are law enforcement, private investigators, and insurance companies.
If we really want the dangers of shared personal information to go away, these exceptions need to be removed or more strictly monitored.
As I mentioned previously, some state laws vary, and in some cases, you might be able to do something to withhold information from being shared.
It’s best to find out what the exact laws are in your state, but an example of what can be done in some states is you can request to withhold your name and address from various files (also known as ‘opt-out’).
When you request this, you’ll need to complete a form to have it implemented. Even in this case, your information may continue to be shared when individual requests are filed under the Driver’s Privacy Protection Act, so you might not consider the effort to be worth the trouble.”
Blake Hardwick represents the NYC personal injury attorney office, Greenberg & Stein, PC.
This law office has over 75 years of litigation experience including data-breach claims.
What are the most common ways criminals breach data at government corporations like the DMV and DOT?
“Phishing is the most common attack vector. Criminals send emails and other messages to DMV staff posing as a trusted authority. The emails contain links to fake websites where DMV employees are tricked into handing over passwords, money, or information.”
What’s the worst that could happen from someone getting a person’s personal information from the DMV or DOT? Identity theft, stalking, etc.?
“The DMV keeps detailed personal information about drivers, including Social Security numbers. A data breach could put drivers at risk of identity theft and fraud, scams, and extortion.”
Can you do anything if you suspect the DMV or DOT has sold your information to a third party or that a third party has misused your information?
“There’s nothing that can get the information back once it’s been sold, but you can report the incident to the appropriate authority, such as your state attorney general.”
Is there any way you can prevent the DMV or DOT from selling your information?
“The Drivers Privacy Protection Act (DPPA) requires DMVs to obtain consent before selling a driver’s personal data. Be sure not to blindly sign paperwork that allows the DMV to do so.”
What laws need to be passed to prevent the DMV or DOT from selling information to third parties? Does your state have these in place?
“The DPPA already prevents this. The DPPA is a national law. Some states have supplemental laws that bolster the DPPA, but every state must meet the DPPA’s federal baseline protections.”
What practical steps should drivers follow if their data is stolen? Freeze credit cards, get new SSNs, etc.?
“It depends on what was stolen. If the information included a Social Security number, then a credit freeze or fraud alert is a good idea. If it was just your name and contact details, just be on the lookout for scams and phishing.”
Paul Bischoff is a privacy advocate and researcher with Comparitech.
He covers cybersecurity, digital privacy, VPNs, encryption, and identity theft.
Frequently Asked Questions: Personal Information Data Breaches
We’ve covered a lot of ground in this study of DMV and DOT data breaches, but we understand you probably still have a number of questions. Read on to see what common questions others are asking about data breaches and why data breaches are bad.
#1 – What causes the highest percentage of data breaches?
Answers will vary on this depending on who you ask, but two of the biggest ways data gets leaked are hackers and human error. While a hacker makes sense, most people aren’t aware that it’s usually simple things like making a weak password or forgetting to sign out of a device that can contribute to data breaches.
#2 – What are the world’s biggest data breaches?
One of the largest data breaches in history was at Yahoo, where billions of people’s data were hacked. Other memorable data breaches at major companies include Facebook and Equifax.
#3 – What are the potential effects of a data breach?
How does a data breach affect me? There are a number of effects that can occur after a data breach. From the customer’s side, they may face financial losses, identity theft, spam, and more.
As for the company, it may lose customers after a data breach, as customers no longer trust it. A company may also have to pay thousands of dollars, or even millions, to fix the issue and install better security.
#4 – Where can I find a data breach dataset?
You can find information and records of data breaches at the ITRC, a comprehensive data breach tracker information center. There is also state-by-state information on cybercrime at the FBI.
Some states may also have information on data breaches on attorney general office websites, although this information is harder to find because not all states record data breach information for the public.
#5 – How common are data breaches?
Data breach reporting shows that breaches are extremely common. According to the FBI, the bureau receives more than 1,200 complaints of cybercrime per day. Keep in mind that these are just complaints or reports of cybercrime breaches.
This means that each complaint may not equal just one person for something like a DMV and DOT data breach. A data breach could affect thousands of people, but only one report is filed for it by the company that was breached.
Methodology: Ranking the Worst States for Driver-Related Data Breaches
Our researchers used the data from the Identity Theft Resource Center (ITRC) as the base for our study. Using the ITRC’s data, our team combed through the last 15 years of data breaches and pulled information for any data breaches involving a DMV or DOT.
Because not all breaches result in a leak of information, any DMV or DOT incidents that affected zero individuals were eliminated from the list.
Once the complete list of DMV and DOT breaches with data on the number of individuals was formulated, our researchers pulled out the top 10 worst states for data breaches at the DMV or DOT based on the number of individuals affected.
Our team found this to be the most accurate way to base how bad a data breach was at a DMV or DOT, as monetary losses are not always available, especially with many of the attacks happening over a decade ago. Assessing how much information was leaked in the number of total attacks in each state is the best way to judge which states had the biggest breaches over the last 15 years.