PORTLAND, Ore. (KOIN/AP) – The identities of approximately 3.5 million Oregonians are at risk after a data breach of the Oregon Department of Transportation left personal files compromised, the agency said Thursday.
ODOT says the hack, which impacts roughly 90% of the state’s driver’s license and ID card files, was part of a global data breach involving the data software MOVEit Transfer earlier this month.
As first reported by The Oregonian, the agency knew of their connection to the breach on Monday, planned to go public on Friday to prepare employees for incoming questions.
According to the agency, the DMV is not able to identify whether a specific individual’s data had been breached. However, they say all Oregonians with a driver’s license or Oregon ID should assume their information has been compromised.
The ransomware syndicate behind the hack — Russian cyber-extortion gang Cl0p — announced last week on its dark web site that its victims, who it suggested numbered in the hundreds, had until Wednesday to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online.
ODOT advises those with an Oregon ID or driver’s license to access their credit reports to check for any transactions or accounts you do not recognize.
To do so, you can request a copy of a credit report every 12 months from three consumer credit reporting companies – including Equifax, Experian and TransUnion – at annualcreditreport.com or by telephone at 1-877-322-8228. You can also request to freeze your credit files.
For more information, contact ODOT via email at AskODOT@odot.oregon.gov.
ODOT has used MOVEit Transfer since 2015. The scope of the data breach is still unclear, but the investigation is ongoing. The exploited program is widely used by businesses to securely share files. The parent company of its U.S. maker, Progress Software, alerted customers to the breach on May 31 and issued a patch. But cybersecurity researchers say scores if not hundreds of companies could by then have had sensitive data quietly exfiltrated.
The cybersecurity firm SecurityScorecard says it detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. It said it was not able to break down those agencies by country.
This is far from the first time Cl0p has breached a file-transfer program to gain access to data it could then use to extort companies. Other instances include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.
The Associated Press emailed Cl0p on Thursday asking what government agencies it had hacked. It did not receive a response, but the gang posted a new message on its dark web leak site saying: “We got a lot of emails about government data, we don’t have it we have completely deleted this information we are only interested in business.”
Cybersecurity experts say the Cl0p criminals are not to be trusted to keep their word. Allan Liska of the firm Recorded Future has said he is aware of at least three cases in which data stolen by ransomware crooks appeared on the dark web six to 10 months after victims paid ransoms.
AP reporters Sara Cline in Baton Rouge, Louisiana, and Nomaan Merchant and Rebecca Santana in Washington contributed to this report.