Washington DOL License Express backdoor — 2018-2025 vulnerability; 1,000+ identity thefts before fix; breach notification law alleged violated
A March 2026 tort claim alleges the Washington Department of Licensing maintained a known security vulnerability in its License Express online portal from Labor Day 2018 through February 2025, enabling identity theft through address changes and duplicate license orders. At least one fraudster completed more than 1,000 identity thefts using the vulnerability. DOL was warned by WSP in 2019 and again circa 2024, but did not fix the vulnerability until February 2025, citing budget constraints. The tort claim also alleges DOL violated the Washington Data Breach Notification Act.
What happened
Washington DOL’s License Express is the online portal used by Washington residents to renew driver’s licenses, manage accounts, and access licensing services. The system handles highly sensitive data including Social Security numbers, birth dates, driver’s license numbers, and residential addresses.
According to a tort claim filed March 3, 2026 by attorney Joel Ard (Ard Law Group) on behalf of Washington resident William Black, DOL introduced a security flaw into License Express around Labor Day 2018 when it implemented upgrades to the public-facing platform. The flaw allowed unauthorized users to:
- Access any resident’s driver’s license record using publicly circulated instructions (allegedly posted to dark web forums)
- Change the address on file for the resident’s license
- Order a replacement license delivered to the attacker-controlled address
According to the claim, the fraud pattern was often obvious — dozens or hundreds of replacement licenses ordered to a single address, paid for with prepaid or “burner” Visa cards, using fake email accounts. DOL allegedly created an internal spreadsheet to track early victims, which itself documented the method of access.
The claim states DOL sought assistance from WSP in 2020 or early 2021, acknowledging at that point that approximately 1,000 successful fraudulent license redirections had already occurred. WSP opened an investigation in August 2019 and closed it in September 2021, citing a lack of active leads, and notified DOL. By approximately 2024, WSP was informing DOL that the volume of new cases each month exceeded its investigative capacity.
Despite this documented history, DOL did not close the vulnerability until February 2025. The tort claim states DOL cited budget constraints as the reason for not implementing the technical fix. License Express was taken offline February 10–18, 2025 while the fix was implemented.
The claim further alleges that DOL never fulfilled its obligations under the Washington Data Breach Notification Act to notify individuals whose data was accessed and compromised.
DOL’s position: DOL disputes the allegation of widespread fraud and states it found no evidence of a data breach through License Express. The agency states the system requires customers to input personal credentials (birth date and Social Security number) before gaining access.
WSP’s position: WSP confirmed it was asked to investigate suspected fraudulent use of DOL’s License Express system in August 2019, pursued evidence of identity theft, and closed the case in September 2021 due to lack of active leads.
What the primary source says
The tort claim, as reported by FOX 13 Seattle (March 5, 2026), states: “In-between Labor Day of 2018 and February of 2025, anybody could find the directions on how to get into the License eXpress system, pick a person and change the address on their license, and order a new license.” Attorney Joel Ard described the vulnerability as “blatant and unmistakable.”
DOL’s official statement: “The Department of Licensing is reviewing the tort claim notice filed with Department of Enterprise Services on March 3, 2026. DOL disputes the allegation of widespread fraud and has found no evidence of a data breach through its License Express service.”
Status
Tort claim filed March 3, 2026. DOL had 60 days to respond as of the March 5, 2026 news coverage. DOL disputes the central allegations. No criminal investigation has been publicly announced as of this record’s last update. The vulnerability is reported as closed as of February 18, 2025. No confirmed class action has been filed.
Note on date_surfaced: This case was surfaced publicly by the March 2026 tort claim and contemporaneous news coverage. The conduct period (the vulnerability window) runs from approximately September 2018 through February 2025.
Note on legal_status: The task specification records this as closed_no_action reflecting DOL’s position that no breach occurred. This record uses complaint_filed because a formal tort claim was filed with the Department of Enterprise Services on March 3, 2026 as a precursor to civil litigation, and a potential breach notification violation is alleged under state law. The distinction should be reviewed at next update.
Why it’s in the registry
The 6.5-year vulnerability window is the structural finding: a known-exploitation vulnerability in a state system holding the most sensitive personal data of nearly every Washington driver persisted across multiple administrative cycles, multiple budget years, and multiple warnings from WSP, without remediation or public disclosure. This is not an undiscovered vulnerability — it is a documented decision to not fix a known problem, for budget reasons, while identity theft continued. The breach notification failure means affected residents had no opportunity to protect themselves. Both failures — no remediation and no disclosure — reflect the absence of statutory enforcement mechanisms with fixed timelines and mandatory escalation.
Reform implication
State IT cybersecurity disclosure requirements should be statutory and tied to fixed-window remediation timelines. When a state agency identifies a known-exploitable vulnerability in a system holding sensitive personal data for millions of residents: (1) notification to affected individuals should be mandatory within a defined statutory window, not subject to budget discretion; and (2) remediation should be required within a defined timeline with mandatory escalation to WaTech and the Legislature if budget constraints prevent timely action. Current practice — which allowed DOL to monitor ongoing fraud for six-plus years without mandatory public disclosure — leaves the public unaware of ongoing risk. See [reform: cybersecurity_disclosure] and [reform: it_modernization_governance].
Reform implication
The License Express vulnerability persisted for approximately six and a half years — across multiple administrative cycles, two governors, and multiple WaTech oversight periods — without mandatory public disclosure or a fixed remediation timeline. The tort claim documents that WSP notified DOL of suspected fraudulent use of the system in August 2019. DOL knew by at least 2020 or early 2021 that more than 1,000 successful fraudulent identity thefts had occurred through the system. By 2024, WSP was informing DOL that the volume of new cases each month exceeded WSP's capacity to investigate. Despite this documented knowledge, DOL did not close the vulnerability until February 2025 — citing, per the tort claim, budget constraints. The structural finding is the 6.5-year window. A vulnerability that generates more than 1,000 confirmed identity thefts, that WSP warns DOL about in 2019 and again confirms is overwhelming its caseload in 2024, and that DOL does not fix for budget reasons, is not a technology failure — it is a governance failure. The decision not to allocate budget to fix a known-active-exploitation vulnerability is an executive decision, made repeatedly across multiple budget cycles, with documented ongoing harm to Washington residents. The breach notification failure compounds the structural finding. Washington's Data Breach Notification Act requires timely notice to affected individuals. The tort claim alleges DOL never fulfilled that obligation for the License Express vulnerability. Individuals whose license records were accessed and altered had no way to know their identity had been compromised. They could not monitor, freeze credit, or take protective action because DOL did not tell them. Reform argument: state IT cybersecurity disclosure requirements should be statutory and tied to fixed-window remediation timelines — not subject to budget discretion. When a state agency identifies a known exploitable vulnerability in a system holding sensitive personal data for millions of residents, the obligation to (1) notify affected residents and (2) remediate within a defined statutory period should not be overrideable by budget constraints. Current DOL and WaTech practices left the public unaware of ongoing risk for more than six years. See [reform: cybersecurity_disclosure] and [reform: it_modernization_governance].
Sources
- DOL statement on License Express tort claim — review of March 3, 2026 tort claim notice“The Department of Licensing is reviewing the tort claim notice filed with Department of Enterprise Services on March 3, 2026. DOL disputes the allegation of widespread fraud and has found no evidence of a data breach through its License Express service. That service requires customers to input personal credentials (such as birth date and Social Security number, if applicable) before gaining access. DOL takes allegations of fraud seriously.”Primary → No archive copy yet
- Tort claim alleges WA DOL left your information open to criminals“In-between Labor Day of 2018 and February of 2025, anybody could find the directions on how to get into the License eXpress system, pick a person and change the address on their license, and order a new license.”
- Claim: Washington DOL left 'back door' security flaw open for years