Server exposure from Illinois vendor with access to driver’s license data raises questions
A computer server of a vendor with city and state contracts to sell Illinois license plate stickers and Chicago vehicle stickers at currency exchanges was exposed to the internet in May — although city and state officials insist there was no security breach.
But that’s not enough for one Cook County watchdog, who says officials need to conduct a thorough investigation to determine what exactly was exposed and how the mishap occurred before they can give the all clear sign.
“It sounds like they’re making a guarantee, which always worries me,” Cook County Inspector General Patrick Blanchard said.
Despite provisions in Electronic License Service LLC’s contracts with both the Illinois secretary of state and the Chicago city clerk’s office that outline the steps to take after a potential security breach — including a secretary of state guideline to hire a “forensics expert” to conduct an investigation — both offices say there’s nothing to worry about.
ELS is one of five companies with contracts with both the Illinois secretary of state’s office and the city clerk of Chicago to allow it to sell stickers at currency exchanges. It’s owned by John Iberl, who runs the Illinois Community Currency Exchange PAC, which has donated to both Illinois Secretary of State Jesse White and former City Clerk Susana Mendoza. He’s also donated to Mendoza’s comptroller campaign fund.
As a vendor, ELS has access to government systems and the personal information of hundreds of thousands of customers. The company is estimated to have generated almost $40 million since 2017 from Illinois and city residents buying city stickers and license plate registrations. The company has processed more than 3.7 million license plate stickers and more than 844,000 city vehicle stickers, since 2017, generating $4.6 million in fees from the sale of city stickers.
The development server, commonly referred to as a Jenkins server, was exposed to the internet in May, according to a screen grab of the server at the time of the breach, obtained by the Sun-Times. The “workspace” folders included ones with labels that contained “citysticker-2009” and “chi_parking” and “citysticker,” among others. It also contained a “.git” file, which in some cases is used to store credentials to allow access to databases.
The clerk’s office said activity was detected on the development server, and it was “flagged.” The office said there was no data breach, just “activity.”
“Earlier this year, activity was detected on one of ELS’ development servers, and immediate steps were taken to identify the activity,” clerk’s office spokeswoman Kate LeFurgy said in a statement. “There was no impact on the Office of the City Clerk’s data. The server and associated activity were not related to the Office of the City Clerk.”
The secretary of state’s office said, “our office confirmed that there was no compromise of SOS data involved.”
ELS owner Iberl said in an that he was “not authorized to comment to the media.”
Blanchard said the server exposure warrants a closer look, and an internal assurance by both offices that all is clear isn’t enough.
Blanchard said he conferred with data experts in his office, who agreed “a lot more information needs to be obtained before somebody could even begin to assess what issues may be at play.”
Blanchard said both the secretary of state’s office and the clerk’s office should be looking into the scope of the breach, if there was one, as well as how it happened and how it could occur.
There are several provisions for breaches in ELS’ contracts with both offices, which include reporting it to the secretary of state’s office within 24 hours “via telephone and in writing, any unauthorized access, use or misuse of the SOS information and/or computer system, including any suspected or actual breach.” If a data breach is confirmed, there’s also a provision for the secretary of state’s office to hire a forensics expert to “conduct a full and thorough investigation” and report the findings at the developer’s expense.
Per the contract with the city clerk, ELS must contact the city if security of any protected information was breached and provide that information to the city. ELS, too, if requested by the city, would have to notify affected individuals if a breach happened.
Illinois also has the Illinois Personal Protection Act, which requires companies with personal information about state residents to maintain security measures to protect data from unauthorized access. It also specifies required actions if a data breach happens, like notifying Illinois residents of a breach to their data as soon as possible and without delay.
If a data breach does happen, consumers are also able to sue the company under the Consumer Fraud and Deceptive Business Practices Act. And the Illinois Attorney General could bring action against a company with violations and seek an injunction or fine them.
The Federal Trade Commission also has guidelines, calling a breach any time hackers take personal information from a server, an insider steals customer information or if information was “inadvertently exposed” on the Internet. The FTC recommends hiring independent forensic experts to determine the source and scope of the breach.