Washington State DOL Data Breach Exposed Millions for Six Years
A lawsuit filed against the Washington State Department of Licensing (DOL) alleges the agency knowingly left a critical security flaw in its License Express system unaddressed for six years, potentially exposing the personal data of every resident with a driver’s license or state ID. The breach, first flagged in 2019, could have enabled identity theft, stalking, and voter fraud.
Attorney Joel Ard, representing plaintiff William Black, claims the DOL discovered the vulnerability after noticing 50–75 driver’s licenses were fraudulently ordered to a single Puyallup apartment all linked to the same email and paid for with a burner Visa card. Despite identifying hundreds of fraudulent transactions, the DOL allegedly failed to notify affected residents or the Attorney General’s Office within the 45-day legal deadline, instead downplaying the severity of the breach.
The DOL reportedly shut down the system in February 2025 after years of inaction, though the lawsuit argues the agency prioritized avoiding accountability over protecting residents. A tort claim has been filed, and if unanswered within 60 days, a lawsuit in Chelan County will proceed. The case raises questions about the DOL’s compliance with state data breach laws and its handling of a long-standing security failure.
Source: https://mynorthwest.com/john-curley/dol-massive-data-breach/4212266
Washington State Department of Enterprise Services cybersecurity rating report: https://www.rankiteo.com/company/wastatedes
"id": "WAS1772684659",
"linkid": "wastatedes",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions (every resident with a '
'driver’s license or state ID)',
'industry': 'Public Sector',
'location': 'Washington, USA',
'name': 'Washington State Department of Licensing '
'(DOL)',
'size': 'Large (state-level agency)',
'type': 'Government Agency'}],
'attack_vector': 'Vulnerability Exploitation',
'customer_advisories': 'None issued within legal deadline',
'data_breach': {'data_exfiltration': 'Fraudulent driver’s license orders '
'(50–75 linked to a single address)',
'number_of_records_exposed': 'Millions',
'personally_identifiable_information': 'Yes (driver’s '
'license/state ID '
'details)',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': 'Personal data (driver’s '
'license/state ID information)'},
'date_detected': '2019',
'date_resolved': '2025-02',
'description': 'A lawsuit filed against the Washington State Department of '
'Licensing (DOL) alleges the agency knowingly left a critical '
'security flaw in its License Express system unaddressed for '
'six years, potentially exposing the personal data of every '
'resident with a driver’s license or state ID. The breach '
'could have enabled identity theft, stalking, and voter fraud.',
'impact': {'brand_reputation_impact': 'Severe (alleged prioritization of '
'avoiding accountability over '
'protection)',
'data_compromised': 'Personal data of every resident with a '
'driver’s license or state ID',
'identity_theft_risk': 'High (potential identity theft, stalking, '
'voter fraud)',
'legal_liabilities': 'Tort claim filed, potential lawsuit in '
'Chelan County',
'operational_impact': 'System shutdown in February 2025',
'systems_affected': 'License Express system'},
'investigation_status': 'Ongoing (tort claim filed, potential lawsuit '
'pending)',
'motivation': 'Fraudulent driver’s license orders, potential identity theft, '
'stalking, voter fraud',
'post_incident_analysis': {'corrective_actions': 'System shutdown in February '
'2025',
'root_causes': 'Critical security flaw left '
'unaddressed for six years, failure '
'to act on fraudulent transactions'},
'references': [{'source': 'Lawsuit filed by Attorney Joel Ard on behalf of '
'William Black'}],
'regulatory_compliance': {'legal_actions': 'Tort claim filed, potential '
'lawsuit in Chelan County',
'regulations_violated': 'State data breach laws '
'(failure to notify within '
'45 days)',
'regulatory_notifications': 'Failed to notify '
'Attorney General’s '
'Office within legal '
'deadline'},
'response': {'communication_strategy': 'Failed to notify affected residents '
'or the Attorney General’s Office '
'within the 45-day legal deadline',
'containment_measures': 'Shut down the License Express system in '
'February 2025'},
'title': 'Washington State DOL Data Breach Exposed Millions for Six Years',
'type': 'Data Breach',
'vulnerability_exploited': 'Critical security flaw in License Express system'}