Two snoops exploited a window of opportunity inadvertently left open for several weeks this summer and electronically peeked at the driver's license data of 18 Minnesotans, state officials said Monday.
The crack has been caulked, according to the Department of Public Safety (DPS), and the 18 Minnesotans are being notified that the data exposed for viewing included their driver's license number, photo, name, address and date of birth, the agency said. Social Security numbers were not part of the query results, officials added.
"There is no indication that the data was used for illicit purposes," public safety officials said in a statement. "However, DPS is recommending the affected individuals remain vigilant and review their credit reports on a regular basis. Letters informing the 18 people of the data breach are being mailed [Monday]."
The 55 unauthorized lookups were discovered when a citizen notified DPS and MN.IT, the state's information technology office for the executive branch, about a Web page that allowed queries of the Department of Vehicle Services database to retrieve nonpublic data. The access was disabled on Aug. 24.
Access to the search function appears to be associated with a July 25 "server reconfiguration" that inadvertently removed the authentication process for authorized users, the DPS statement read. Unauthorized access began on Aug. 2, the agency added.
State officials have yet to offer any information about the two people who accessed the information without authority other than to say they have their e-mail addresses. They have not said whether they know their identities, but DPS spokesman Bruce Gordon said the two are not state employees.
There was "nothing immediately apparent" to the DPS about why these 18 people were targeted, Gordon said, adding that there were "no public figures" among them.
In addition to disabling the Web page, DPS and MN.IT said they have increased security and scanning functions for all data access points in the wake of the breach.