The Oregon Department of Transportation has confirmed it was hit with a massive hack that has potentially put the personal information of 3.5 million DMV customers at risk. This affects both driver’s license and identification card holders — any of whom may have been affected.
ODOT appears to be a victim of the same attack that hit multiple agencies including the U.S. Energy Department, Louisiana’s Office of Motor Vehicles, British Airways, the British Broadcasting Company and the U.K. drugstore chain Boots. That’s according to the Associated Press. Homeland Security officials blame a Russian cyber-extortion gang.
The Cl0p ransomware syndicate behind the hack announced last week on its dark web site that its victims, who it suggested numbered in the hundreds, had until Wednesday to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online.
DMV public information officer Michelle Godfrey says it was part of a worldwide hack of a data transfer software product called MOVEit Transfer. ODOT says it has used MOVEit since 2015 to allow the transfer of files and data between businesses and customers.
ODOT said the Cybersecurity and Infrastructure Security Agency issued an alert on June 1 saying that MOVEit creator Progress Software Corp had released a security advisory saying the software had a vulnerability which could allow an attacker to “take over an affected system.”
After conducting an analysis, ODOT said it found multiple files shared via MOVEit Transfer that were accessed by unauthorized people before they received the security alert.
Godfrey says the Oregon Department of Transportation “immediately shut down and secured our system.” Godfrey says they are confident it’s now working safely.
As for what was accessed, ODOT says “While much of this information is available broadly, some of it is sensitive personal information.”
ODOT says it does not have the ability to identify if any specific individual’s data has been breached. Anyone with an active Oregon ID or driver’s license should assume their information was part of the breach.
The hack first came to light in a report by The Oregonian Thursday, which said the hack affects about 90% of Oregon drivers licenses and ID cards.
The Oregonian reports the DMV became aware of the hack on June 1. The systems were reportedly locked down two hours later.
The DMV reportedly learned of full extent of the hack on Monday. It responded to questions from The Oregonian on Thursday but reportedly did not plan to go public on the release until Friday while it was preparing employees on how to respond to any concerns from customers.
What to do now to protect yourself
If you think you may have been affected by the breach, ODOT has this advice:
Under federal law, you have the right to receive, at your request, a free copy of your credit report every 12 months from each of the three consumer credit reporting companies. A credit report can provide information about those who have received your credit history. You may request a free credit report online at www.annualcreditreport.com or by telephone at 1-877-322-8228.
When you receive your credit reports, check for any transactions or accounts that you do not recognize. If you see anything you do not understand, call the telephone number listed on the credit report or visit the Federal Trade Commission’s Web site on identity theft at http://www.consumer.gov/idtheft/. Additionally, you may wish to ask each of the three credit monitoring agencies to freeze your credit files.
For information, you can reach out to Ask ODOT, your first point of contact for finding information, services or resolving issues with ODOT. They can be reached by email at AskODOT@odot.oregon.gov.
The Associated Press contributed to this report.