Pennsylvania's Department of Transportation rakes in tens of millions of dollars annually by selling drivers' license information to insurance providers and background check companies, KYW-TV reported.
PennDOT has pulled in $89.9 million since 2016, according to the news station's investigative report. The department has been selling the data, which includes names, addresses, and information on traffic violations for up to 10 years.
The state uses the money for road repairs and mass transit, according to PennDOT.
How does it work?
The process starts when a driver applies for a job, car insurance or credit.
A wholesaler pays several dollars for each record that's used to verify the information on the application.
“More of what the entities are looking for are citations, DUIs, those sorts of things,” PennDOT spokeswoman Alexis Campbell said.
The company purchasing the information signs an affidavit spelling out the rules for use of the data. Reselling the information isn't allowed.
Have companies violated the agreement?
Yes, and that's where the trouble begins.
"It's qualified data. It's what we called validated data, so it's very valuable," Robert D'Ovidio, a cybercrime expert, told KYW.
D’Ovidio said it becomes difficult to protect drivers' information when third parties sell and re-sell the data.
“When we sell it to third parties and then they go on and sell it, then that person goes and sell it, then we start getting into uses where it’s not intended, where it goes beyond what the customer, what you and I, expect to be done to our data,” he said.
The practice is similar to the Facebook privacy scandal, involving Cambridge Analytica, except that PennDOT audits the entities that purchase the data.
What did the audits find?
An audit of Sterling Infosystems found “inadequate security” and “inaccurate customer listing."
And LexisNexis had a “lack of customer safeguards to ensure security," according to an audit.
Sterling Infosystems and LexisNexis responded in the audits that they've rectified the problems, KYW reported.
PennDOT said they've found no incidences where anyone's information has been compromised.
“Part of what the audit does is it gives us a mechanism to help keep track of how the companies are managing that data,” Campbell said.