Washington State DOL Faces Allegations of Prolonged Data Security Failure
A tort claim filed against the Washington Department of Licensing (DOL) on March 3, 2026, alleges the agency knowingly left a critical security flaw in its License Express system unaddressed for years, potentially exposing the personal data of thousands of residents. The claim, represented by attorney Joel Ard of Ard Law Group on behalf of plaintiff William Black, asserts that the DOL was aware of the vulnerability as early as 2019 but failed to correct it until early 2025.
The flaw reportedly allowed unauthorized access to sensitive information, including birth dates and Social Security numbers, with evidence suggesting hundreds of driver’s licenses were misdirected to fraudulent addresses between Labor Day 2018 and February 2025. Fraudulent transactions involved burner visas, prepaid cards, and fake email addresses, raising concerns about identity theft and broader misuse of compromised data.
While the DOL has stated it found no evidence of a breach in the License Express service, critics argue the agency minimized the severity of the issue and delayed action. The claim further alleges the DOL downplayed notifications sent to affected residents, failing to fully acknowledge or rectify the problem. Internal records indicate the agency opened an investigation in 2019 but did not shut down the flawed system until 2025.
The case has drawn attention to potential voter roll vulnerabilities, as compromised identities could impact automatic voter registration tied to driver’s licenses. The DOL has 40 days remaining to formally respond to the claim, with officials confirming they are still reviewing the allegations. The incident underscores concerns about state compliance with Washington’s data privacy laws, which apply to government entities.
Washington State Department of Licensing cybersecurity rating report: https://www.rankiteo.com/company/washington-state-department-of-licensing
"id": "WAS1774052927",
"linkid": "washington-state-department-of-licensing",
"type": "Vulnerability",
"date": "9/2018",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands of residents',
'industry': 'Government',
'location': 'Washington, USA',
'name': 'Washington Department of Licensing (DOL)',
'type': 'Government Agency'}],
'customer_advisories': 'Downplayed notifications to affected residents',
'data_breach': {'number_of_records_exposed': 'Hundreds (driver’s licenses '
'misdirected)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Birth dates',
'Social Security numbers',
'Driver’s license information']},
'date_detected': '2019',
'date_publicly_disclosed': '2026-03-03',
'date_resolved': '2025',
'description': 'A tort claim filed against the Washington Department of '
'Licensing (DOL) alleges the agency knowingly left a critical '
'security flaw in its License Express system unaddressed for '
'years, potentially exposing the personal data of thousands of '
'residents. The flaw allowed unauthorized access to sensitive '
'information, including birth dates and Social Security '
'numbers, with evidence suggesting hundreds of driver’s '
'licenses were misdirected to fraudulent addresses between '
'Labor Day 2018 and February 2025.',
'impact': {'brand_reputation_impact': 'Criticism for minimizing severity and '
'delaying action',
'data_compromised': 'Birth dates, Social Security numbers, '
'driver’s license information',
'identity_theft_risk': 'High (fraudulent use of driver’s licenses '
'and personal data)',
'legal_liabilities': 'Tort claim filed, potential violations of '
'Washington’s data privacy laws',
'operational_impact': 'Delayed action and investigation, system '
'shutdown in 2025',
'payment_information_risk': 'Prepaid cards and burner visas used '
'in fraudulent transactions',
'systems_affected': 'License Express system'},
'investigation_status': 'Ongoing (DOL reviewing allegations)',
'motivation': 'Identity theft, fraudulent transactions',
'post_incident_analysis': {'corrective_actions': 'System shutdown in 2025',
'root_causes': 'Prolonged unaddressed security '
'flaw in License Express system'},
'references': [{'source': 'Tort claim filed by Joel Ard of Ard Law Group'}],
'regulatory_compliance': {'legal_actions': 'Tort claim filed',
'regulations_violated': ['Washington’s data privacy '
'laws']},
'response': {'communication_strategy': 'Downplayed notifications to affected '
'residents',
'containment_measures': 'Shut down the flawed system in 2025'},
'title': 'Washington State DOL Prolonged Data Security Failure',
'type': 'Data Security Failure',
'vulnerability_exploited': 'Critical security flaw in License Express system'}