The Unified Carrier Registration Plan (UCR) has reported that the tax identification numbers of registrants may have been exposed during March due to a website vulnerability that existed in its online National Registration System.

The UCR is an independent interstate compact responsible for developing, implementing and administering the National Registration System, established by Congress in 2005. The program requires individuals and companies that operate commercial motor vehicles in interstate or international commerce to register their business with a participating state and pay an annual fee based on the size of their fleet. 

According to a UCR statement, "From March 1 through March 28, a UCR registrant’s Tax ID number was displayed in the status bar of the web browser of the receipt created upon completion of the registration process in the National Registration System. Immediately upon learning of the website vulnerability on March 28, the UCR eliminated the website vulnerability by completely removing the use of Tax ID numbers in the National Registration System."

After learning of the data breach, the UCR hired a leading independent cybersecurity firm to perform a forensic investigation into the event. The audit found that approximately 30,000 identification numbers may have been exposed, but, “there is no indication that a mass export of Tax ID numbers occurred," says the UCR.

The UCR said it submitted the list of breached numbers to the Federal Motor Carrier Safety Administration, which determined that 23,000 of the registrants used Social Security numbers as their tax identification and that it would individually notify this pool.