Defending DMV Data from Accelerating AI Threats

The California Department of Motor Vehicles uses Proofpoint to protect 10,000+ employees, data, and the agency's future in an AI-accelerated threat landscape.

California DMV

At A Glance

Every day, the California DMV serves millions of Californians every day and processes billions of dollars in transactions. To keep customer and employee data secure, the agency partnered with Proofpoint for layered email defense, data loss prevention, and Cloud App Security Broker (CASB) visibility. Now the partnership is being extended to meet the next wave of AI-powered threats.

Products Used

  • Enterprise DLP
  • Data Security
  • Email Protection
  • Threat Protection

Proofpoint is very helpful from a data loss prevention perspective. We can see in a very good dashboard view how much information is meeting certain criteria as far as having driver's license number or social security number or credit card.


Mayur Patel, Information Technology Specialist, California DMV

Company Size

10,000 employees

Headquarters

California, United States

1.8 M
malicious messages blocked in 30 days
380K+
advanced threats blocked in 30 days
10K
employees protected
CHALLENGES
  • A state-sized attack surface: The DMV serves millions of Californians and processes billions of dollars in transactions across the state. A breach would erode the public trust the agency depends on.
  • Increased phishing attacks with no visibility: The agency’s Security Operations Center (SOC) was fielding 50–100 incidents a day with limited visibility into the blind spots attackers were exploiting. 
  • The double-edged sword of AI: Attackers use AI to craft sharper phishing emails while employees upload sensitive data to consumer AI tools. The DMV’s defense was designed for an earlier era. 
RESULTS
  • 1.8 million unwanted and malicious messages blocked in a single month, including more than 380,000 advanced phishing, BEC, and malware threats neutralized before they reached an inbox. 
  • Visibility into the agency's most-attacked users through Very Attacked People (VAP) risk scoring, letting the team tighten policy and catch incidents before they can spread.
  • A clearer view of data exfiltration risk through the DLP dashboard and the Data Security Workbench to protect sensitive data.

The Challenge

Securing Data, Email, and the Road Ahead

The California Department of Motor Vehicles (DMV) serves millions of Californians every day. With field offices across the state, a website that processes billions of dollars in transactions, and more than 10,000 employees, the agency holds some of the most sensitive personal data anyone in the state will ever share.  

For Mayur Patel, Information Technology Specialist in the agency's Security Operations Center (SOC), the risk of sensitive data leaving the organization was huge. "If we lose their trust by having a security breach, we will lose a huge amount of credibility," he explains.  

Increasingly, the job was getting harder. Patel and his team were fielding between 50 and 100 incidents a day, and the agency’s legacy email system was letting through threats that should never have reached a user's inbox. 

Beyond the volume of incidents, the team was working with blind spots. Suspicious logins, risky user behavior, and attack test probes were difficult to see with existing tools. Not to mention the rapidly growing role of AI. Today’s attackers adopt generative AI to write sharper phishing emails that evade signature-based detection. At the same time, employees are uploading data to consumer AI tools, raising fresh risks for an agency that must safeguard regulated personal data. 

“One of the biggest insider threats we're trying to get ahead of is the use of shadow AI and employees uploading confidential documents to external tools that fall outside policy guidelines,” says Dominic Nassardi, Information Security Specialist in the agency's SOC. 

The DMV needed a security platform that could protect every field office, every transaction, and the personal data of millions of Californians. It needed to bring visibility to the agency's blind spots and stay ahead of what AI brings next. It needed Proofpoint.

The Solution

Layered Defense, Built for the AI Era 

As the DMV deployed Proofpoint, Patel was part of the SOC team helping shape the configuration. Its top priority was email security layered into the agency's defenses. The Proofpoint solution stack includes Enterprise Email Protection, Targeted Attack Protection (TAP), and Threat Response Auto-Pull, which all work together to filter, detect, and remediate threats at the gateway.  

Alongside the filtering, Proofpoint surfaces a Very Attacked People (VAP) score that ranks every user by how often attackers target them. The SOC can sort the list, look at any user's full activity history, and tighten policy where the risk concentrates. "Proofpoint did shine a light on things that we weren't really able to see well with our other tools," Patel says. 

On the data side, Proofpoint DLP gives the SOC a dashboard view of what is leaving the agency and lets analysts quickly trace alerts back to specific users. Proofpoint CASB extends that visibility into the cloud environments. For Nassardi, that integration is what turned a fragmented toolset into a unified one. "CASB has been very successful in assisting our organization with safeguarding access points and user identity," he says. "It really identifies some of the blind spots that we had before within the SOC."  

The Results

Millions of Threats blocked. Blind Spots Eliminated. 

Over a 30-day period, Proofpoint blocked 1.8 million unwanted and malicious messages bound for DMV inboxes, including more than 380,000 commodity threats. "We're not getting nearly as many phishing email incidents," Patel says, "and those that do get through, we're able to easily track them down and remediate, all from the Proofpoint admin platform." 

The deeper change is in what the SOC can see. One incident stands out: A DMV employee tried to use their work account on a personal device that had already been compromised. They entered their credentials, approved the MFA prompt, and the moment the attacker logged in, Proofpoint started raising alerts. The system stitched the events into a single picture, and the SOC moved fast to triage and contain it. "Without Proofpoint we might not even have been aware that the incident occurred," Patel says. 

Visibility compounds across the agency. VAP scoring shows the SOC which employees are being attacked the most. Geo-blocking policies stop unauthorized access at the door. The DLP dashboard surfaces who is sending what, and where. And the Data Security Workbench gives leadership a single, filterable view.  

As the team builds out its AI-era data security posture, the Data Security Workbench has become the single pane where alerts across CASB, human risk, and isolation come together. 

“It’s very helpful because it does give a nice infographic which is not only useful for operations, but also for rolling up reports to executive leadership,” Nassardi explains.