PORTLAND, Ore. (KOIN) – The identities of approximately 3.5 million Oregonians are at risk after a data breach of the Oregon Department of Transportation left personal files compromised, the agency said Thursday.

ODOT says the hack, which impacts roughly 90% of the state’s drivers license and ID card files, was part of a global data breach involving the data software MOVEit Transfer earlier this month.

The breach was reported June 1, though ODOT says they didn’t know until this week on June 12.

As first reported by The Oregonian, the agency planned to go public on Friday to prepare employees for incoming questions — four days after they confirmed the breach. ODOT Chief Information Officer Thomas Amato said they wanted to be sure of what happened before going public.

“Good forensic work does take time, and even on June 12, we’re still talking about preponderance of evidence, enough for us to say there is that we can confirm and actually believe this event is one that’s confirmed and that we are very confident saying happened,” he said. “Between that time and today [Thursday], we’ve been trying to put in place, things to prepare Oregonians for this announcement and to do that the right way, so we didn’t give too much evidence to the actual threat actors who could use verification of their attack as leverage.”

According to the agency, the DMV is not able to identify whether a specific individual’s data had been breached. However, they say all Oregonians with a driver’s license or Oregon ID should assume their information has been compromised. 

“For security purposes, we’re not going to discuss exactly what data points were potentially included in that file,” said Amy Joyce, ODOT DMV Administrator. “What we’re saying is if you have an Oregon driver’s license, ID, permit, driver’s permit, you can assume that data associated with that credential has been compromised.”

It is unclear whether details beyond a license number, photo or address had been accessed, and many Oregonians say Social Security numbers are their primary concern.

Local cyber security specialist Ken Westin, who works as a senior information security officer for Panther Labs, has his own questions.

“Is it a nation-state attack going after certain individuals? Or is it a sort of crime of convenience where they’re actually looking to monetize that information, again, in these underground forums to compromise identities? When there is a compromise like this, there are a lot of dots they need to connect,” Westin said. “They need to be able to conduct an investigation, they may even bring in a third party to help do an analysis.”

Although the scope remains uncertain, Westin said the breach could focus on government employees’ records, such as the mayor’s or the governor’s, and not concern all residents. He said it could also be that millions of personal information will be sold to fabricate driver’s licenses or to commit loan or credit card fraud in someone’s name.

ODOT advises those with an Oregon ID or driver’s license to access their credit reports to check for any transactions or accounts you do not recognize.

To do so, you can request a copy of a credit report every 12 months from three consumer credit reporting companies – including Equifax, Experian and TransUnion – at annualcreditreport.com or by telephone at 1-877-322-8228. You can also request to freeze your credit files.

Westin also suggests taking immediate action, adding that it’s worth locking accounts if they are not in active use. 

“I know it’s kind of a hassle for some people, but in our day and age – particularly when we’re dealing with identities being compromised like this – it just makes sense,” he said.

For more information, contact ODOT via email at AskODOT@odot.oregon.gov.

ODOT has used MOVEit Transfer since 2015. The scope of the data breach is still unclear, but the investigation is ongoing.

Stay with KOIN 6 as this story develops.