UCR reveals data breach
Social Security and tax identification numbers for approximately 30,000 motor carriers may have been exposed due to a vulnerability on the Unified Carrier Registration Plan’s website.
In a statement posted to the plan’s website, UCR announced that a vulnerability in its online national registration system “could have potentially exposed a UCR registrant’s tax ID number for a period of 28 days” in March.
The statement says that from March 1 through March 28, a UCR registrant’s tax ID number was displayed in the status bar of the web browser of the receipt created when registering in the system. According to UCR, the only way to view a tax ID number was by completing a successful login to the national registration system public website during the affected dates.
“Immediately upon learning of the website vulnerability on March 28, the UCR eliminated the website vulnerability by completely removing the use of tax ID numbers in the national registration system.”
The UCR’s statement says there is “no further risk of tax ID number exposure” and no indication that a “mass export of tax ID numbers occurred” during the period in question.
UCR says it submitted a list of approximately 30,000 at-risk registrants to the Federal Motor Carrier Safety Administration for further assistance. Approximately 23,000 carriers may have provided a Social Security number as a tax ID. UCR says it is individually notifying those carriers about the data vulnerability. The deadline for companies organized as sole-proprietorships to contact UCR for assistance is Jan. 16.
Tamara Young, a permits and licensing representative with OOIDA’s Business Services Department, serves as a nonvoting UCR Board member. She said she hopes the incident will prompt the board to more closely consider the impacts its policies and procedures have on the trucking industry “from all angles.” LL
Editor’s note: After we went to press, Tamara Young said the UCR board of directors hired cybersecurity firm Kroll Cyber Security LLC to help provide identity protection services to anyone affected by the breach. UCR has sent letters to those who were affected.