The Unified Carrier Registration Plan (UCR) is reporting that, on March 28, 2019, a website vulnerability existed in its online National Registration System that could have potentially exposed a UCR registrant’s Tax ID number for a period of 28 days in March 2019.
The UCR determined that, during the period of March 1, through March 28, a UCR registrant’s Tax ID number was displayed in the status bar of the web browser of the receipt created upon completion of the registration process in the National Registration System. Immediately upon learning of the website vulnerability on March 28, the UCR eliminated the website vulnerability by completely removing the use of Tax ID numbers in the National Registration System.
Shortly thereafter, the UCR hired a leading independent cybersecurity firm to perform a forensic investigation into the event. The investigation produced the following conclusions:
- The only way to view a Tax ID number was by completing a successful login to the National Registration System public website between the dates of March 1, 2019, and March 28, 2019.
- The total number of registrant accounts open to possible Tax ID exposure during the period from March 1, 2019, through March 28, 2019, was approximately 30,000.
- There is no indication that a mass export of Tax ID numbers occurred during the period of March 1, 2019 through March 28, 2019. The exposure was limited to the exposure of a Tax ID number in the status bar of the web browser of the registration receipt.
- As of today, the UCR is confident that there is no further risk of Tax ID number exposure. The issue has been resolved since the afternoon of March 28, 2019, and no future occurrence of displaying the Tax ID numbers of registrants can occur.
Upon conclusion of the independent investigation, the UCR submitted the list of approximately 30,000 registrants to the Federal Motor Carrier Safety Administration (FMCSA) for further assistance. The UCR requested that the FMCSA run those entries through FMCSA’s MCMIS database to determine the number of registrants who may have provided a Social Security Number to the database as the Tax ID number. The FMCSA determined that approximately 23,000 of these registrants may have provided a Social Security Number to the database as the Tax ID number. The UCR concluded, therefore, that these approximately 23,000 registrants were potentially open to Social Security Number exposure during the period from March 1, 2019, through March 28, 2019. UCR has elected to individually notify this pool of approximately 23,000 registrants (the “Notification Pool”) of the March 2019 data event.
The UCR has retained a leading provider of data event response services to provide notification services to the Notification Pool. Notices were mailed out recently to the Notification Pool offering identity monitoring services in an effort to prevent any further inconvenience.
See plan.ucr.gov for further information about the UCR. Please contact privacy@legal.ucr.gov for questions regarding this data incident.
