Driver’s license scans stolen in Columbus cyberattack, data retained for years

play

Every time central Ohioans visit Columbus City Hall and most other municipal government buildings, they scan their driver’s licenses to gain entry — and all that information dating back to early 2006 may now be available on the dark web.

The volume of data, potentially dating back nearly two decades, could have still been archived during a July 18 cyberattack because the city’s retention policy is open and allows the government to keep it until it is deemed “obsolete,” city spokeswoman Melanie Crabill said.

EasyLobby, a security system that has been printing name tags for customers for years, is used to control and monitor the entry and exit of visitors to buildings, according to its maker HID Global.

Although Crabill said it was unclear how much of that data was being recorded at the time of the cyberattack, EasyLobby records in Columbus dating back to February 2006 appear to have been obtained in the hack, said local cybersecurity expert David L. Ross Jr., also known as “Connor Goodwolf.”

Learn more: Franklin County judge grants city’s request to halt cybersecurity expert’s efforts to warn public

The city’s policy of retaining driver’s license records indefinitely likely put citizens at risk, said John Bandler, an attorney and adjunct professor at John Jay College of Criminal Justice in New York.

“If they’ve been in and out, if a month has passed and you know nothing terrible has happened in that building, maybe it’s time to delete the scan,” he said.

Crabill confirmed that EasyLobby has been used by the city since at least 2013, if not earlier.

EasyLobby’s parent company, HID Global, describes the permit-scanning entry point as more “secure” than a pen-and-paper sign-in sheet, easier to use and doesn’t allow people to use fake names. HID Global did not respond to a request for comment for this article.

“Mayor Ginther is committed to continuous improvement,” Crabill said via email. “The city’s response to the cyberattack incident will certainly identify opportunities to revise existing protocols to better protect the city’s data and IT infrastructure.”

What can you do with a copy of your driver’s license?

According to Bandler, a driver’s license is one of the most valuable items an identity thief can obtain because it has so many uses. If the information being leaked on the dark web includes full images of ID cards, scammers will find that even more valuable.

“A cybercriminal or identity thief would love this because it contains important information,” Bandler said.

Criminals can do a number of things if they obtain a copy of someone else’s driver’s license, Bandler said.

First, they can open bank accounts or credit cards in the victim’s name, he explained. They can even apply for a loan, according to the credit monitoring service Experian.

A criminal could also change a person’s mailing address. This could allow identity thieves to retrieve a person’s mail, including important information such as bank statements, credit card statements, and financial documents, from a location of their choosing.

Additionally, a thief could make fake copies of a person’s ID or use it to create an entirely new identity, according to Experian.

“To commit identity theft, you often need a good ID. And of course, you don’t want to use your own ID,” Bandler said. “So it’s very helpful to get a forged or stolen ID, or copies of what’s been scanned. You could use that to create a fake ID.”

Did visitors know that their permit information was being held by the city?

Most visitors likely simply accepted the permit scan as what was required to enter, and many likely didn’t realize that when they logged in through EasyLobby, they might have to hand over a copy of their permit for years to come, Bandler said.

Bandler said the city could at least have eliminated permit checks after a certain period of time and simply kept visitors’ names on file.

“You know you have to do it to get in. You accept it,” he said. “But do people know that the object is stored for years, maybe indefinitely? That probably doesn’t cross a lot of people’s minds.”

Learn more: Columbus Data Breach: Did City’s New Integrated Computer Control System Play a Role?

There is currently no other way to check into a city building without going through EasyLobby, Crabill said. If a visitor has an appointment scheduled with a city employee and refuses to scan a valid ID, they will be given a temporary sticker to wear and must be accompanied by an employee, Crabill said.

In addition to driver’s license information, it appears that the addresses, dates of birth and Social Security numbers of hundreds of thousands of people were also obtained in the cyberattack and released on the dark web, Ross told the Dispatch. Police and prosecutor records were also posted online after the hack.

What can you do if you think a scan of your license was stolen in the Columbus cyberattack?

Central Ohio residents have several options available to them if they believe their driver’s license may be part of a trove of stolen data posted on the dark web.

Columbus offers free credit monitoring to people who believe they have at any point shared personal information with the city. In addition to credit monitoring by Experian, the service includes stolen identity restoration with identity theft insurance and dark web monitoring for two years, according to the city.

People who believe they may be affected can register online through a portal linked to the city’s website.

“My philosophy is don’t panic just because we heard about this latest thing,” Bandler said.

Bandler encouraged people to take advantage of a number of tools if they believe their data or information was part of the Columbus data breach.

While there are paid services, Bandler said it’s free to check your credit. And it’s also free to freeze your credit if she deems it necessary.

Ultimately, Bandler said protecting yourself against cybercrime and identity theft comes down to doing your due diligence on an ongoing basis.

“There is no silver bullet to protect people from cybercrime and identity theft,” he said. “It takes logic, diligence, reason, not fear or panic, and it’s an ongoing process.”

[email protected]

@MaxFilby