The Cuba ransomware gang launched assaults in February on a payment processor widely used by many state and municipal agencies across the United States to manage utility bills and driver’s license data, prompting data breach notifications from numerous cities and agencies in California and Washington.
The miscreants gang stole unencrypted data files from Seattle-based Automatic Funds Transfer Services (AFTS) and injected the ransomware, damaging the company’s business operations and bringing down its website, according to initial reports.
The California Department of Motor Vehicles (DMV), which uses AFTS to verify vehicle registration addresses, notified state residents Wednesday about the ransomware attack. The DMV said agency systems had not been compromised. The agency's statement stressed the AFTS does not have access to DMV customers’ social security numbers, birthdates, voter registration, immigration status or driver’s license information.
The DMV did acknowledge that the ransomware attack may have compromised information provided to AFTS by the DMV, including the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers.
Once notified of the potential breach, the DMV immediately stopped all data transfers to AFTS and notified law enforcement, including the FBI.
The city of Seattle also issued a statement confirming the attack and also claiming there’s no evidence that any city IT infrastructure or systems were impacted or are at heightened risk. City officials said a “small” number of city departments use AFTS for commercial billing, printing and mailing services.
Numerous other cities and municipalities issued similar statements acknowledging the attack and explaining ransomware basics to citizens throughout Washington, including Alderwood, Everett, Kirkland, Lakewood, Monroe, Redmond and Silver Lake.
“It’s interesting that only the California DMV’s advisory related to AFTS includes a reference to the ‘last 20 months of California vehicle registration records,’” said Oliver Tavakoli, CTO at Vectra. “As it’s unlikely that an attack of this kind has been dormant for 20 months, this would seem to indicate that AFTS retains transaction data for at least 18 months and the earliest sign of the attack may be two months old.”
Tavakoli said this incident should reminds security pros of a best practice around reducing the size of data leaks: carefully scrutinize how long the organization must retain data and aggressively remove the data once it has reached that age.