The Anchorage Police Department inadvertently released the protected personal information of more than 11,000 people involved in traffic accidents for almost two years, officials said Wednesday.
The department said Wednesday in a prepared statement that it realized in February its report-writing system was malfunctioning, uploading unredacted traffic collision reports to LexisNexis, a company that makes public records accessible.
The system is programmed to automatically redact the birthdates and driver’s license numbers of people involved in traffic crashes for public copies of reports, said Capt. Sean Case. But for reasons that are still unclear, he said, the system stopped doing the redactions in April 2019. The problem was discovered Feb. 15 this year.
The public can access traffic reports through an online records request, by physically going to the police station, or online through LexisNexis. Insurance companies and lawyers are the main groups that access the reports through LexisNexis, Case said.
“Individual people generally go through the normal records request process because that’s (what they’re) most familiar with,” Case said.
After a collision, drivers will exchange information and often take photos of one another’s driver’s licenses, which would contain their license number and birthday. It’s OK for individuals to release their own information, but it’s against Alaska law for a law enforcement agency to release dates of birth or driver’s license numbers, Case said.
The release of that information can leave people more vulnerable to identity theft.
“It becomes complicated to do it and challenging with a name and date of birth, driver’s license — the Social Security number generally is the piece of personal information that makes it substantially easier to engage in identity theft,” he said.
There has been no known misuse or attempted misuse of the information, Case said.
The accidental upload of driver’s license numbers and birth dates is not, on its own, a serious threat for identity theft, said Brett Callow, a Canada-based cybersecurity expert and threat analyst.
“Probably not in and of itself. It is a starting point,” he said in a phone interview Wednesday. “The more tidbits of information an identity thief knows about individuals, the easier for them.”
The Anchorage Police Department’s accidental data release “would seem to be very much at the low end” of the severity threat, Callow said.
“The information isn’t extremely sensitive, by the sounds of this,” he said. “Nor is it publicly available.”
Unlike the open internet, LexisNexis data is open only to paid subscribers.
Compare that to ransomware attacks on police departments in Washington D.C., and Azusa, California, that threatened to expose highly sensitive criminal investigation material — even the names of gang informants to the gangs they were informing on, Callow said.
The department immediately stopped the online report uploads when officials realized the unredacted information was being released, the department said. All the unredacted reports were pulled from the LexisNexis system, Case said.
Police made a programming correction to the report-writing system, and Case said the department is continuously checking to make sure it’s functioning properly.
The department is notifying by letter 11,402 people who were impacted, and Case said the department will set up a phone line to answer questions and address public concerns. Credit monitoring will be provided for a period of time to anyone who wants to use it, he said.
The department will be upgrading technology this year, and Case said that should help prevent such a situation from happening again.