A major proposed class-action lawsuit has been filed against the Washington State Department of Licensing (DOL), accusing the agency of keeping a blatant online security loophole open for years. According to the complaint, this critical flaw allowed identity thieves to easily intercept residents’ personal data, modify their home addresses, and fraudulently order replacement driver’s licenses.
The legal action centers on “License eXpress,” an online portal launched by the DOL in 2018 to manage driver licensing services. The platform stored highly sensitive personal information, including full names, Social Security numbers, birth dates, home addresses, and photographs. The lawsuit alleges that a specific feature of the system, known as the “No Logon” pathway, allowed users to access account services without ever logging in or creating a password. Instead, anyone possessing just a target’s name, date of birth, and driver’s license number could easily pull up their record, switch the mailing address to a new location, and order a replacement card.
The complaint highlights that the fraudulent activity should have been obvious to the state. Thieves frequently ordered dozens or even hundreds of duplicate licenses to be delivered in bulk to identical addresses—such as a single apartment complex in King County—often utilizing the exact same email address for multiple distinct accounts.
Internal documents cited in the lawsuit show that the DOL’s Driver and Vehicle Investigations Unit was aware of the issue early on, initially identifying a single case that compromised 300 to 400 victims. As the fraud ballooned, the agency sought assistance from the Washington State Patrol. By late 2020 or early 2021, over 1,000 successful identity thefts had been documented. The lawsuit claims that despite warnings from the State Patrol in 2024—stating that the influx of hundreds of new identity theft cases a month was unmanageable unless the state fixed the root cause—the DOL failed to shut down the “No Logon” pathway until February 2025. Furthermore, the agency is accused of failing to properly notify the public about the massive exposure.
The lawsuit features plaintiffs who suffered severe personal disruptions due to the security flaw. One named plaintiff, Bess Byers, discovered she was a victim of identity theft in early 2020 after bad actors used her information to secure loans, apply for credit cards, and make unauthorized purchases. The fraud even disrupted her civic participation, preventing her from receiving her primary and general election ballots later that year. Another plaintiff, a former Chelan County Sheriff’s deputy, found that his compromised information had been used to fraudulently apply for state unemployment benefits while he was actively employed.
The lawsuit aims to represent all Washington residents whose personal driver’s license information was compromised through the portal, with a specific subclass dedicated to individuals who suffered documented financial damages from the resulting identity theft. For its part, the DOL has disputed the allegations, claiming that it has found no evidence of an actual system data breach, and maintained that past state patrol investigations into individual identity fraud cases were closed due to a lack of active leads.
Leave a Reply