Last Thursday two masked men, operating a stolen jeep, pulled up next to a courier’s white van that was parked outside a MA RMV location, jumped out of the jeep and stole five bags from the courier’s van. This is according to witness’ accounts reported to police.
According to the MA Department of Transportation Press Secretary the private courier worked for the Registry of Motor Vehicles and the five bags contained documents not money. The documents included:
“Personal customer information is contained in the types of paperwork stolen. The records included names, dates of birth, addresses and license numbers. The types of paperwork stolen do not include the social security numbers of Massachusetts residents,” she said.
As reported by the Gloucester Times
Apparently between 500-600 customers were affected.
The police are saying it was a targeted theft, but that maybe the men thought the bags contained money. These guys used a car that had been recently stolen and had a second get-a-way car parked nearby.
This seems like a lot of work to go through to steal 500-600 people’s registry transaction paperwork. The “they thought the bags had money” theory seems more likely.
But… if the bad guys had this thing so planned out, why didn’t they know that the bags didn’t contain money? Does the courier usually have the Registry’s money, but only had the paperwork on this particular morning? That is an important question.
The other important question is: exactly what information was taken? Was there something about the information that would be valuable? The registry took care to say that no “social security numbers” or “credit card information” was taken. But if the stolen information was in the right (wrong) hands, what could they do with it?
Usually a theft like this involves access to inside information. It’s not like these guys would sit outside the Wilmington branch of the RMV every day to learn the courier’s schedule. That might happen in the movies, but in my experience, criminals are just too lazy to do that leg work. They will either know someone on the inside who can tell them the schedule, or one of them IS on the inside and works for either the RMV of the courier service. Either way, the information should have included the fact that no money would have been in those bags or we have yet another example of “world’s stupidest criminals.”
From a data security standpoint, this crime should serve as notice to those companies still using data in paper form that they are not immune from being “hacked.” This incident is technically a data breach, right? And since it involves a State agency, different rules apply.
Executive Order 504 requires Massachusetts State Agencies to protect “Personal Information.” Because M.G.L. 93H and 201 CMR 17 do not apply to public entities, this order seeks to close a loophole with one big exception: penalties for non-compliance… or lack thereof.
Since it appears that the courier was a private company and the RMV is a State agency, they would have had to execute a contract with specific language regarding the protection of Personal Information of Massachusetts residents. Exec Order 504 commands it.
So, what at first blush appears to be a couple of bungling idiots taking the wrong bags (or the right bags on the wrong day) may turn into an “investigation” into the lack of protection afforded 500-600 Massachusetts’ residents personal information.
Did the contract between the RMV and the courier have the appropriate language?
Did the courier have the appropriate protections in place?
How much will this incident cost the courier? The State? There are procedures under Exec Order 504 that must be followed.
Until I hear that this courier usually carried money I will presume that the theft of information was the goal of the bad guys’ actions. I mean, these guys stole a car just hours before this crime, had a second car ready to go, wore masks, and pulled this off at 9:00am? If you go to all that trouble and don’t know exactly what’s in those bags you deserve to serve time for stealing paper…