Republished from official UCR website; link here.
The Unified Carrier Registration Plan (UCR) is reporting that, on March 28, 2019, a website vulnerability existed in its online National Registration System that could have potentially exposed a UCR registrant’s Tax ID number for a period of 28 days in March 2019.
The UCR determined that, during the period of March 1, through March 28, a UCR registrant’s Tax ID number was displayed in the status bar of the web browser of the receipt created upon completion of the registration process in the National Registration System. Immediately upon learning of the website vulnerability on March 28, the UCR eliminated the website vulnerability by completely removing the use of Tax ID numbers in the National Registration System.
Shortly thereafter, the UCR hired a leading independent cybersecurity firm to perform a forensic investigation into the event. The investigation produced the following conclusions:
Upon conclusion of the independent investigation, the UCR submitted the list of approximately 30,000 registrants to the Federal Motor Carrier Safety Administration (FMCSA) for further assistance. The UCR requested that the FMCSA run those entries through FMCSA’s MCMIS database to determine the number of registrants who may have provided a Social Security Number to the database as the Tax ID number. The FMCSA determined that approximately 23,000 of these registrants may have provided a Social Security Number to the database as the Tax ID number. The UCR concluded, therefore, that these approximately 23,000 registrants were potentially open to Social Security Number exposure during the period from March 1, 2019, through March 28, 2019. UCR has elected to individually notify this pool of approximately 23,000 registrants (the “Notification Pool”) of the March 2019 data event.
The UCR has retained a leading provider of data event response services to provide notification services to the Notification Pool. Notices were mailed out recently to the Notification Pool offering identity monitoring services in an effort to prevent any further inconvenience.
Protecting registrants’ information is important to the UCR. The UCR hopes the identity monitoring services offered to the Notification Pool will alleviate any inconvenience or concern caused by this incident. The UCR upholds a continued commitment to the safety and security of its registrants.
The UCR was established by Congress in 2005 as an interstate compact responsible for developing, implementing, and administering the National Registration System. The UCR is independent of the United States Department of Transportation and the FMCSA.
See plan.ucr.gov for further information about the UCR.