DPS Website was NOT secure
Posted: Fri May 07, 2010 11:11 am
I just received the following e-mail. The DPS website was not secure for the first day or so.
Dear :
On May 1st, the Texas Department of Public Safety (DPS) released a new version of our Concealed Handgun Online Services through TexasOnline.com. According to our records, you were one of the first customers to use the new system. Regrettably, during the time of your visit, one of the online security features was not fully implemented and there is a chance that some of your personal information could have been seen while it was being transmitted to TexasOnline. Personal information affected may have included your Social Security Number, date of birth and drivers license number. Once this vulnerability was identified, it was promptly addressed and we have found no evidence of a security breach and are unaware of any actual data loss.
The Concealed Handgun Online Services application is now using appropriate online security services. DPS remains committed to our mission of courtesy, service and protection. In that light, we have set up a toll-free number, 888-246-4638, to answer any of your questions. This call center will be monitored 24/7 by our partners at TexasOnline until July 2, 2010. Additionally, 12 months of credit monitoring will be made available to you without charge upon your request.
We have also attached some additional information concerning identify theft safeguards.
Respectfully,
Brad Rable Karen Robinson
Chief Information Officer Chief Technology Officer
Texas Department of Public Safety State of Texas
Questions & Answers
What happened?
- The Texas Department of Public Safety’s Concealed Handgun Licensing online service experienced a 24-hour security vulnerability in which certain personal information (including Social Security number, date of birth, and driver’s license number) was not properly encrypted. This information could have been seen as it was being sent to TexasOnline, the state’s official Web site.
- Only Social Security numbers, dates of birth, and driver’s license numbers were unencrypted. All other personal information, including payment information, was securely transmitted to TexasOnline.
- The vulnerability was fixed as soon as it was discovered and all Department of Public Safety online services, including the Concealed Handgun Licensing system, are operating with the appropriate security measures in place.
Has my personal information been seen or used without my permission?
There is no indication that your personal information was seen or has been used without your permission. However, we are notifying you of this issue as a precautionary measure.
If I didn’t receive a notification letter, does that mean my personal information was not part of this security vulnerability?
Correct. Notification e-mails and letters were only sent to those people who provided information to the Concealed Handgun Licensing site on May 2 and 3, 2010.
What is the Department of Public Safety and the State of Texas doing to resolve this issue?
- First and foremost, the Department of Public Safety and State of Texas acted quickly to correct the technical issue and ensure that the appropriate security measures are applied to all TexasOnline services.
- We have notified the affected concealed handgun license applicants. Letters with detailed information were e-mailed on May 6 and mailed on May 7 to the addresses provided during the online transaction.
- A toll-free hotline has been set up at 888-246-4638 to answer additional questions or concerns.
What steps should I take to protect myself?
- We recommend that you monitor your credit report, which you can get for free at http://www.annualcreditreport.com" onclick="window.open(this.href);return false; or by calling 1-877-322-8228. By law, you are entitled to one free credit report every year from each of the three major credit bureaus.
- As a precaution, you can request an identity theft victim information kit from the Texas Attorney General’s office at http://www.oag.state.tx.us/consumer/ide ... heft.shtml" onclick="window.open(this.href);return false;.
- Free 12-month subscriptions to a credit monitoring service are available by request. With this service, all three major credit reporting bureaus will monitor your credit file and will notify you whenever accounts are opened or changed in your name. For additional information, please contact us at 888-246-4638.
- You may also contact one of the three credit bureaus to place a 90-day fraud alert on your credit report. That bureau will automatically notify the other two companies to flag your credit file. A fraud alert flag tells creditors to follow additional procedures before opening or changing accounts in your name.
Equifax: http://www.equifax.com" onclick="window.open(this.href);return false;
1-800-525-6285
P.O. Box 740241
Atlanta, GA 30374-0241
Experian: http://www.experian.com" onclick="window.open(this.href);return false;
1-888-397-3742
P.O. Box 9532
Allen, TX 75013
TransUnion: http://www.transunion.com" onclick="window.open(this.href);return false;
1-800-680-7289
Fraud Victim Assurance Division
P.O. Box 6790
Fullerton, CA 92834-6790
Should I close my bank account or cancel my credit cards?
No. The payment information you may have provided during the online transaction had the proper security measures in place and was not viewable when it was sent to TexasOnline. Because Social Security numbers were obtained without authorization, though, we recommend that individuals monitor their financial accounts for suspicious activity as a precaution.
Should I request a new Social Security number?
The Social Security Administration will not issue new Social Security numbers merely as a precaution. Social Security numbers are reassigned in rare cases when clear evidence is presented that your Social Security number has been used in a criminal manner and caused recent economic or personal hardship. For additional information, contact the Social Security Administration at http://www.socialsecurity.gov" onclick="window.open(this.href);return false;
Was my Concealed Handgun Licensing transaction cancelled due to this vulnerability? No. To check the status of your Concealed Handgun Licensing online request, please log in to the online service at https://www.texasonline.state.tx.us/txapp/txdps/chl/" onclick="window.open(this.href);return false;.
Dear :
On May 1st, the Texas Department of Public Safety (DPS) released a new version of our Concealed Handgun Online Services through TexasOnline.com. According to our records, you were one of the first customers to use the new system. Regrettably, during the time of your visit, one of the online security features was not fully implemented and there is a chance that some of your personal information could have been seen while it was being transmitted to TexasOnline. Personal information affected may have included your Social Security Number, date of birth and drivers license number. Once this vulnerability was identified, it was promptly addressed and we have found no evidence of a security breach and are unaware of any actual data loss.
The Concealed Handgun Online Services application is now using appropriate online security services. DPS remains committed to our mission of courtesy, service and protection. In that light, we have set up a toll-free number, 888-246-4638, to answer any of your questions. This call center will be monitored 24/7 by our partners at TexasOnline until July 2, 2010. Additionally, 12 months of credit monitoring will be made available to you without charge upon your request.
We have also attached some additional information concerning identify theft safeguards.
Respectfully,
Brad Rable Karen Robinson
Chief Information Officer Chief Technology Officer
Texas Department of Public Safety State of Texas
Questions & Answers
What happened?
- The Texas Department of Public Safety’s Concealed Handgun Licensing online service experienced a 24-hour security vulnerability in which certain personal information (including Social Security number, date of birth, and driver’s license number) was not properly encrypted. This information could have been seen as it was being sent to TexasOnline, the state’s official Web site.
- Only Social Security numbers, dates of birth, and driver’s license numbers were unencrypted. All other personal information, including payment information, was securely transmitted to TexasOnline.
- The vulnerability was fixed as soon as it was discovered and all Department of Public Safety online services, including the Concealed Handgun Licensing system, are operating with the appropriate security measures in place.
Has my personal information been seen or used without my permission?
There is no indication that your personal information was seen or has been used without your permission. However, we are notifying you of this issue as a precautionary measure.
If I didn’t receive a notification letter, does that mean my personal information was not part of this security vulnerability?
Correct. Notification e-mails and letters were only sent to those people who provided information to the Concealed Handgun Licensing site on May 2 and 3, 2010.
What is the Department of Public Safety and the State of Texas doing to resolve this issue?
- First and foremost, the Department of Public Safety and State of Texas acted quickly to correct the technical issue and ensure that the appropriate security measures are applied to all TexasOnline services.
- We have notified the affected concealed handgun license applicants. Letters with detailed information were e-mailed on May 6 and mailed on May 7 to the addresses provided during the online transaction.
- A toll-free hotline has been set up at 888-246-4638 to answer additional questions or concerns.
What steps should I take to protect myself?
- We recommend that you monitor your credit report, which you can get for free at http://www.annualcreditreport.com" onclick="window.open(this.href);return false; or by calling 1-877-322-8228. By law, you are entitled to one free credit report every year from each of the three major credit bureaus.
- As a precaution, you can request an identity theft victim information kit from the Texas Attorney General’s office at http://www.oag.state.tx.us/consumer/ide ... heft.shtml" onclick="window.open(this.href);return false;.
- Free 12-month subscriptions to a credit monitoring service are available by request. With this service, all three major credit reporting bureaus will monitor your credit file and will notify you whenever accounts are opened or changed in your name. For additional information, please contact us at 888-246-4638.
- You may also contact one of the three credit bureaus to place a 90-day fraud alert on your credit report. That bureau will automatically notify the other two companies to flag your credit file. A fraud alert flag tells creditors to follow additional procedures before opening or changing accounts in your name.
Equifax: http://www.equifax.com" onclick="window.open(this.href);return false;
1-800-525-6285
P.O. Box 740241
Atlanta, GA 30374-0241
Experian: http://www.experian.com" onclick="window.open(this.href);return false;
1-888-397-3742
P.O. Box 9532
Allen, TX 75013
TransUnion: http://www.transunion.com" onclick="window.open(this.href);return false;
1-800-680-7289
Fraud Victim Assurance Division
P.O. Box 6790
Fullerton, CA 92834-6790
Should I close my bank account or cancel my credit cards?
No. The payment information you may have provided during the online transaction had the proper security measures in place and was not viewable when it was sent to TexasOnline. Because Social Security numbers were obtained without authorization, though, we recommend that individuals monitor their financial accounts for suspicious activity as a precaution.
Should I request a new Social Security number?
The Social Security Administration will not issue new Social Security numbers merely as a precaution. Social Security numbers are reassigned in rare cases when clear evidence is presented that your Social Security number has been used in a criminal manner and caused recent economic or personal hardship. For additional information, contact the Social Security Administration at http://www.socialsecurity.gov" onclick="window.open(this.href);return false;
Was my Concealed Handgun Licensing transaction cancelled due to this vulnerability? No. To check the status of your Concealed Handgun Licensing online request, please log in to the online service at https://www.texasonline.state.tx.us/txapp/txdps/chl/" onclick="window.open(this.href);return false;.
).