UCR security lapse may have exposed SSN, Tax ID of 30,000 carriers

Img 1717
Updated Oct 25, 2019

UCR RegistrationUnified Carrier Registration (UCR) Board has acknowledged that its online National Registration System could have exposed the social security number or Tax ID number of 30,000 drivers and carriers seven months ago.

Through a statement posted to its website, UCR said a site vulnerability existed on its online National Registration System for most of the month of March 2019 that potentially exposed a UCR registrant’s Tax ID number. The UCR determined that, from March 1-28, a UCR registrant’s Tax ID number “was displayed in the status bar of the web browser of the receipt created upon completion of the registration process in the National Registration System.”

Upon learning of the website vulnerability March 28, UCR says it was eliminated “immediately” by removing the use of Tax ID numbers in the National Registration System, and the agency hired an independent cybersecurity firm to perform a forensic investigation into the event.

The investigation found, according to UCR, the only way to view a Tax ID number was by completing a successful login to the National Registration System public website between the affected dates.

There was no indication, UCR said, of mass export of Tax ID numbers during the period, adding the exposure was isolated to Tax ID numbers displayed in the status bar of the web browser of the registration receipt.

“As of today, the UCR is confident that there is no further risk of Tax ID number exposure,” the agency said in a statement. “The issue has been resolved since the afternoon of March 28, 2019, and no future occurrence of displaying the Tax ID numbers of registrants can occur.”

UCR says it submitted the list of approximately 30,000 registrants to the Federal Motor Carrier Safety Administration for further assistance at the conclusion of the independent investigation and requested that FMCSA run those entries through its MCMIS database to determine the number of registrants who may have provided a Social Security Number to the database as the Tax ID number. The FMCSA determined that approximately 23,000 registrants could have done so, and UCR said notices have been mailed to the affected group. The agency has also offered identity monitoring services in an effort to prevent further inconvenience.