The Oregon Department of Motor Vehicles (DMV) has officially acknowledged that approximately 3.5 million driver's license and identification card files were compromised in a recent cyberattack targeting the agency. According to agency spokesperson Michelle Godfrey, it was only four days ago that the extent of the breach became evident, with about 90% of the state's driver's license and ID card records affected.
Initial inquiries from The Oregonian/OregonLive prompted the discussion of the security breach, but DMV officials took nearly a day to provide a response. The agency had planned to delay public disclosure until Friday to allow time for adequately preparing employees on how to address the concerns and inquiries of Oregonians regarding personal protection measures.
As a precautionary measure, Godfrey advised the public to monitor their credit reports for any signs of fraudulent activity. The agency became aware of the hack on June 1, immediately locking down the affected systems, but lacked information on the compromised data until thorough analysis revealed the breach's impact on the state's driver's license and ID records.
Following the news organization's inquiry, the Department of Transportation issued a press release stating that the DMV was among "many organizations" affected by the breach resulting from a global hack of the data transfer software, MOVEit Transfer. The compromised data includes "sensitive personal information" of millions of individuals holding driver's licenses and ID cards.
Since 2015, the agency has been utilizing the popular file-sharing tool, but on June 1, the Cybersecurity and Infrastructure Security Agency issued an alert regarding a zero-day vulnerability in the software that could enable attackers to gain control of affected systems. Prior to receiving the official alert, an external security specialist determined that unauthorized actors had accessed multiple files. “Citizens have a choice to walk away from companies that failed to protect their data," said Dror Liwer, co-founder of cybersecurity company Coro. When it comes to government agencies, people don't have that choice, which is all the more reason for such agencies to take confidential information even more seriously than the private sector.”
The agency emphasized its inability to identify specific individuals whose data might have been breached, stating that individuals with active Oregon IDs or driver's licenses should assume that their information is part of the breach.