TL;DR: Puerto Rico’s CESCO (the only agency where residents can get driver’s licenses, vehicle registrations, and permits) was knocked offline by a cyberattack discovered March 24, 2026. All appointments were cancelled. The Transportation Department extended March expiration dates to April 30, but refuses to say whether ransomware was involved. Technical teams are “working around the clock” to verify data integrity before restoring services. This is Puerto Rico’s third major government cyberattack in 18 months.
March 24: Attack Detected, Systems Disconnected
Puerto Rico’s Department of Transportation (DTOP) detected a cyberattack on its CESCO systems Monday, March 24, 2026. Security monitoring caught the intrusion attempt, but the response was swift and brutal: disconnect everything.[1]
CESCO (Centros de Servicios al Conductor) handles every driver’s license, vehicle registration, and permit on the island. When it goes offline, there’s no backup. No walk-ins. No workarounds.
By Tuesday, residents found out via cancelled appointments and angry Facebook comments.
The Official Story: Working Around the Clock
Poincaré Díaz, executive director of Puerto Rico Innovation and Technology Service (PRITS), issued a carefully worded statement:[1]
“Our absolute priority is the protection of Puerto Ricans’ data. Our specialized technical teams have been working around the clock to determine the scope of this event and to check each system to ensure the total integrity of the information before proceeding with the restoration of services.”
Translation: We don’t know what they got yet.
When asked directly if ransomware was involved, neither DTOP nor PRITS responded.[1]
March Deadlines Pushed to April 30
Transportation Secretary Edwin González Montalvo announced emergency extensions for anyone whose documents were expiring during the outage:[2]
Driver’s Licenses
All licenses expiring March 23-31 now valid until April 30.
Vehicle Registrations
Marbetes (stickers) with March expirations extended to April 30.
Disability Permits
Removable permits for people with disabilities extended to April 30.
Window Tint Exemptions
Tint exemption permits expiring in March now valid until April 30.
The message is clear: don’t expect services back anytime soon.
“No Evidence Data Was Stolen”
Officials claim the attack “was stopped” and there’s “no evidence data was stolen.”[1]
That phrase, “no evidence,” does a lot of heavy lifting. It doesn’t mean data wasn’t taken. It means they haven’t found proof yet. In ransomware attacks, exfiltration often isn’t confirmed until hackers threaten to publish.
The CESCO database contains exactly the kind of information identity thieves love:
- Full names and addresses
- Dates of birth
- Social Security numbers
- License photos
- Vehicle ownership records
3.2 million Puerto Rican residents depend on CESCO for identification documents. That’s a lot of data to verify. It’s the same kind of government-held personal data exposed in the Conduent breach that hit 26 million Americans.
Third Attack in 18 Months
This isn’t Puerto Rico’s first government hack. It’s not even the second.
- June 2025: Puerto Rico’s Justice Department hit by cyberattack, forcing systems offline.[3]
- December 2025: Multiple agencies affected by ransomware, prompting FBI and CISA involvement.[3]
- March 2026: CESCO/DTOP systems knocked offline by current attack.
Puerto Rico announced a $7.6 million cybersecurity program in late 2025.[4] Clearly, it wasn’t enough.
What Residents Should Do
Check CESCO Digital App
The CESCO Digital app may still show your documents. Download it from App Store or Google Play to access your virtual license.
Don’t Ignore Expiration Notices
The April 30 extension is automatic. You don’t need to apply. But keep any official communications about the extension in case you’re stopped.
Monitor Credit Reports
Even though officials claim no data was stolen, freeze your credit with Equifax, Experian, and TransUnion. It’s free and reversible.
Watch for Rescheduling
If you had an appointment cancelled, wait for official communication. Don’t respond to unsolicited calls or texts claiming to reschedule. Scammers exploit outages.
The Bottom Line
Puerto Rico’s driver license system is down. Officials detected an attack, yanked the plug, and are now doing damage assessment.
They won’t say what kind of attack. They won’t confirm ransomware. They won’t give a timeline for restoration.
What we know: If your documents were expiring in late March, you have until April 30. If you needed an appointment, you’re waiting. If your data was in the system (and if you have a Puerto Rico license, it was), watch your credit.
This is the third time in 18 months that Puerto Rico’s government systems have been hit. The pattern is clear. The defenses aren’t working.
References
- The Record from Recorded Future News: Puerto Rico government agency cancels driver’s license appointments after cyberattack (March 2026)
- El Vocero: DTOP extiende vigencia de licencias y marbetes tras ciberataque en Cesco (March 2026)
- The Record from Recorded Future News: FBI, CISA investigating cyberattack on Puerto Rico’s water authority
- StateScoop: Puerto Rico announces $7.6M cybersecurity program