Audit of Security and Controls Over the National Driver Register
October 29, 2007
Project ID: FI-2008-003
On October 29, we issued a final report on the audit of the National Driver Register (NDR) system administered by the National Highway Traffic Safety Administration (NHTSA). NDR is a central register that enables state department of motor vehicle officials to exchange information on problem drivers in each state, such as those convicted of driving under the influence of alcohol. This helps prevent problem drivers from obtaining a drivers license to operate a vehicle or being hired for safety-sensitive positions. In 2006, state officials made more than 70 million inquiries for driver license applicants, 9 million of which were found in NDR. Forty-two million problem drivers are recorded in NDR with personally identifiable information, such as driver's name, Social Security number, date of birth, gender, height, weight, and eye color. We found that drivers' personally identifiable information was properly secured in the NDR mainframe database. However, when transmitted or stored outside the mainframe computer, it was exposed to potential unauthorized access or unapproved use. For example, this sensitive information was not encrypted when transmitted on the network. We also found deficiencies with the data stored in NDR. For example, problem drivers were not recorded in NDR in a timely manner-millions were not recorded until at least 1 year after conviction. This increases the potential that problem drivers could seek a valid license in another state. In addition, we found that information about drivers' physical attributes, such as height, eye color, was missing from about 18 million records; there were over 161,000 duplicate Social Security numbers; and problem driver records were improperly removed from the NDR database. NHTSA has concurred with our findings and recommendations.