PORTLAND, Ore. (KOIN) – Since the Oregon Department of Transportation on Thursday announced it was part of a global hack that may have compromised private information of millions of Oregonians, people throughout the state have been asking questions about how this happened, how this could have been prevented and how they can protect their information.
Here are some of the most frequently asked questions about the data breach and what Oregon Department of Motor Vehicles customers should do now.
Who was affected by the data breach?
The Oregon Department of Transportation says personal information for approximately 3.5 million holders of Oregon ID cards or driver’s licenses was released by the breach. However, the cyber attack did not just target the Oregon DMV. The data breach was part of a global hack on the data transfer software MOVEit Transfer, which ODOT uses to encrypt and transfer data files between parties.
In addition to the Oregon DMV, the MOVEit breach affected Umpqua Bank, formerly Columbia Bank, customers in Oregon and other states. It also breached information through the Minnesota Department of Education, Louisiana’s Office of Motor Vehicles, the Nova Scotia provincial government, British Airways, the British Broadcasting Company, the U.K. drugstore chain Boots, and federal agencies like the U.S. Department of Energy.
What was stolen?
“Your driver’s license number, your photo, things like that. Someone can fabricate your driver’s license, replicate it, things like that. That’s what I’d be sort of worried about,” cyber security expert Ken Westin told KOIN 6 News.
ODOT said the hackers could have access to first and last names, driver’s license or identification card numbers, dates of birth, physical addresses, and the last four digits of social security numbers.
However, banking, credit card and other financial information was not jeopardized in the attack, ODOT said.
“They could commit fraud like applying for loans with people’s names, things like that, so that’s why it’s important to figure out what’s the intent of the attacker,” Westin said.
Who did it?
According to the Cybersecurity & Infrastructure Security Agency, the cyberattack was carried out by CL0P, a Russian ransomware gang.
CISA and the FBI say the CL0P Ransomware Gang, also known as TA505, began exploiting MOVEit in May 2023. Federal officials say MOVEit Transfer web applications were infected with malware that CL0P used to steal data.
A senior CISA official told the Associated Press that U.S. officials “have no evidence to suggest coordination between CL0P and the Russian government.”
When did it happen?
Thomas Amato, chief information officer of the Oregon DMV, said ODOT officials think the attack and data loss occurred in late May.
ODOT was notified by CISA on June 1 that an attack on the transfer system ODOT uses called MOVEit “could lead to potential unauthorized access to user systems,” according to Oregon DMV public information officer Michelle Godfrey.
During an analysis on Monday, June 12, ODOT learned multiple files were transferred or compromised, for 3.5 million customers.
ODOT waited until Thursday, June 15 to inform the public of the breach. In a press conference Thursday, the agency said it wanted to have a complete understanding of the situation and prepare its employees to field questions about the breach before telling the public. It also worked with security experts during that time.
Amato also said the agency wanted to make sure it would not reveal too much evidence in a public announcement. He said ODOT is concerned the attackers use verification of the attack as leverage.
Have there been any reports of fraud or identity theft yet?
As of Thursday, at the time of the press conference, Oregon DMV administrator Amy Joyce said she is not aware of any fraud or identity theft reports or assertions so far as a result of the situation.
When asked if the Oregon DMV would be liable for any cases of fraud or identity theft that result from the breach, Chief Administrative Officer Carolyn Sullivan said that question was “beyond the scope of this conversation.”
How can you protect yourself?
ODOT recommends people begin actively monitoring their account statements and credit reports. People are entitled to a free copy of their credit report once every 12 months from each of the three major credit reporting agencies: Experian, Equifax and TransUnion.
Free credit reports can be ordered from www.annualcreditreport.com or by calling 1-877-322-8228.
All three credit bureaus also allow people to place fraud alerts on their accounts. A fraud alert at one of the three major credit bureaus will notify the other two to place the same alert on their files for you. A fraud alert tells creditors to do things like contact you before opening any new accounts in your name or before changing your existing accounts.
ODOT said a fraud alert placement can protect you, but it might require more time for people to open new credit accounts.
Westin recommends people place a lock on their credit account when they aren’t using it. He locks his credit account and says he’ll remove the lock about a month before he plans to make a big purchase of something like a new car.
Anyone who believes they’re a victim of identity theft should file a police report immediately. Incidents of identity theft can also be reported to the Oregon Attorney General and the Federal Trade Commission.