State ID Databases Hacked

It won’t surprise anyone who follows data security to know that this past summer saw a hack of databases containing Louisiana driver information. A hacker going by the ironic handle “NSA” offered the data for sale on a “dark web” marketplace.

Over 290,000 residents of Louisiana were apparently affected by the data breach. The information stolen was typical of that which is held by motor vehicle bureaus: first name, middle name, last name, date of birth, driver’s license number, state in which the driver’s license was issued, address, phone number, email address, a record of driving offenses and infractions, and any and all fines paid to settle tickets and other fines.

This leak highlights the risks of state participation in the REAL ID Act. One of the problems with linking together the databases of every state to create a national ID is that the system will only be as secure as the state with the weakest security.

REAL ID mandates that states require drivers to present multiple documents for proof of identity, proof of legal presence in the United States, and proof of their Social Security number. The information from these documents and digital copies of the documents themselves are to be stored state-run databases just like the one that was hacked in Louisiana.

For the tiniest increment in national security—inconveniencing any foreign terrorist who might use a driver’s license in the U.S.—REAL ID increases the risk of wholesale data breaches and wide-scale identity fraud. It’s not a good trade-off.