photo by: Peter Hancock

During a March 29, 2018, news conference, Gov. Jeff Colyer demonstrates a new mobile app called "iKan" that allows users to renew their vehicle registrations online. State officials said they also plan to expand uses of the app to provide access to other services like accessing birth certificates and registering to vote.

Topeka ? The Kansas Department of Revenue says it is reviewing security protocols of its new online vehicle registration system following reports that users can accidentally or intentionally look up others’ information.

The security hole in the system, known as iKan, was first reported by a user in a comment posted, and since deleted, on the social media site Reddit. The user wrote that when they tried to look up their own information, they accidentally typed in a personal identification number, or PIN, that was one digit off from their own, and the system displayed someone else’s vehicle and insurance information.

The user noted that the PINs are apparently not generated randomly, but are issued in sequential order, so a person could simply add or subtract from his or her own PIN and look up other people’s information.

Agency spokeswoman Rachel Whitten said in an email that no protected personal information is available on the system, but she cautioned that people should not use the system to look up other people’s information. She said the only information revealed using a PIN is the tag number associated with that PIN, the name of the owner’s insurance company and the policy number.

photo by: Peter Hancock

During a March 29, 2018, news conference, Gov. Jeff Colyer demonstrates a new mobile app called "iKan" that allows users to renew their vehicle registrations online. State officials said they also plan to expand uses of the app to provide access to other services like accessing birth certificates and registering to vote.

“It is illegal to use a (PIN) belonging to someone else to try to access information in the vehicle registration system,” Whitten said. “Fortunately, there is no privileged personal information to be accessed, even with the illegal use of a (PIN) number. State authorities are investigating the attempted breach.”

When the new platform was unveiled during a March 29 news conference, both Gov. Jeff Colyer and John Thomson, CEO of PayIt LLC, the company that developed the application, insisted that user data would not be shared with outside third parties.

Colyer said that was something the state had insisted on when it selected PayIt as the developer, and Thompson said, “Contractually, we do not share or sell any data.”

In a phone interview Thursday, Whitten said there is no information available on the site that is not already a matter of public record.

Officials also said during the March 29 news conference, however, that the platform would soon be expanded to allow people to conduct other transactions with the state, including looking up vital records, such as birth certificates and voter registrations.

Whitten said the Department of Revenue has no involvement in those projects, and that those systems would use different security protocols.

Meanwhile, she said Revenue officials are reviewing their own security protocols for the vehicle registration renewal system.

“We’re reviewing everything,” she said.