UCR data for 30,000 carriers may have been exposed due to website issue
October 24, 2019
Social Security and tax identification numbers for approximately 30,000 motor carriers may have been exposed due to a vulnerability on the Unified Carrier Registration Plan’s website, according to the plan’s website.
In a statement posted to the Plan’s website, UCR announces that a vulnerability in its online National Registration System “could have potentially exposed a UCR registrant’s tax ID number for a period of 28 days” in March.
The statement says that from March 1 through March 28, a UCR registrant’s tax ID number was displayed in the status bar of the web browser of the receipt created when registering in the system. According to UCR, the only way to view a tax ID number was by completing a successful login to the National Registration System public website during the affected dates.
“Immediately upon learning of the website vulnerability on March 28, the UCR eliminated the website vulnerability by completely removing the use of tax ID numbers in the National Registration System.”
The UCR’s statement on the data breach says there is “no further risk of tax ID number exposure” and no indication that a “mass export of tax ID numbers occurred” during the period in question.
UCR says it submitted a list of approximately 30,000 at-risk registrants to the Federal Motor Carrier Safety Administration for further assistance. UCR requested the agency run those entries through the Motor Carrier Management Information System database to determine the number of registrants who may have used a Social Security number as a tax ID number. Approximately 23,000 carriers may have provided a Social Security number as a tax ID. UCR says it is individually notifying those carriers about the data vulnerability.
Tamara Young, a permits and licensing representative with OOIDA’s Business Services Department, serves as a nonvoting UCR Board representative. She said she hopes the incident will prompt the board to more closely consider the impacts its policies and procedures have on the trucking industry “from all angles.”
“Hopefully from here on out the UCR Board and affiliates will take everyone’s perspective into consideration, and make sure a program is near flawless before implementing it,” Young said.
UCR says it has mailed offers for identity monitoring services to those affected carriers.
“Protecting registrants’ information is important to the UCR,” the statement reads. “The UCR hopes the identity monitoring services offered to the notification pool will alleviate any inconvenience or concern caused by this incident.”