Louisiana and Oregon warn that millions of driver's licenses were exposed in a data breach after a ransomware gang hacked their MOVEit Transfer security file transfer systems to steal stored data.
These attacks were conducted by the Clop ransomware operation, which began worldwide hacks of MOVEit Transfer servers on May 27th using a previously unknown, zero-day vulnerability tracked as CVE-2023-34362.
These attacks have led to widespread disclosures of data breaches worldwide, impacting companies, federal government agencies, and local state agencies.
According to press releases by the Louisiana Office of Motor Vehicles and the Oregon Driver & Motor Vehicle Services, both agencies used the MOVEit Transfer software, which was breached during these attacks.
Millions of driver's licenses stolen
The Louisiana Office of Motor Vehicles (OMV) announced yesterday that they believe all Louisianans with a state-issued driver's license, ID, or car registration likely had their data exposed to the threat actors.
"Louisiana's Office of Motor Vehicles (OMV) is one of a still undetermined number of government entities, major businesses and organizations to be affected by the unprecedented MOVEit data breach," explains an alert from the Louisiana OMV.
The OMV says that those impacted likely had the following personal information exposed:
- Name
- Address
- Social Security Number
- Birth date
- Height
- Eye Color
- Driver's License Number
- Vehicle Registration Information
- Handicap Placard Information
However, the agency says there is no indication that Clop used, sold, shared, or released any of that data, so the stolen data may have been deleted as the ransomware actors promised in their announcement to delete any stolen government data.
"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was erased," the Clop gang told BleepingComputer in an email earlier this month.
Nonetheless, millions living in Louisiana should still consider their data at risk. They are advised to take appropriate steps to protect their identity, reset their passwords, place a credit freeze on their bank accounts, and report any suspicious activities to the authorities and their card issuers.
The Oregon DMV released a similar statement and a press release explaining that its MOVEit Transfer data breach impacted approximately 3,500,000 Oregonians with an ID or driver's license.
"Since 2015, ODOT has used MOVEit Transfer, a popular file sharing tool created and supported by Progress Software Corp that allows organizations to securely transfer files and data between business partners and customers," reads Oregon DMV's press release
"On Monday, June 12, ODOT confirmed that the accessed data contained personal information for approximately 3.5 million Oregonians. While much of this information is available broadly, some of it is sensitive personal information."
The authorities in Oregon have stated that they are in no position to identify specific victims, so all citizens are advised to take precautions and assume their personal data was exposed to cybercriminals.
While Clop started extorting victims of the MOVEit attacks on Wednesday by listing breached companies on the ransomware operation's data leak site, no stolen data has yet to be leaked.
Furthermore, as both the Louisiana and Oregon DMV fall under the government category, it is too soon to tell if the Clop extortionists will keep their promise and delete stolen data.
Even if this data is never used in extortion attempts, it is possible the data could be sold to other threat actors.
Therefore, all impacted people in Oregon and Louisiana should treat their data as at risk, monitor credit reports for identity theft, and remain vigilant against possible targeted phishing attacks.
Other organizations who have already disclosed MOVEit Transfer breaches include US federal agencies, Zellis (BBC, Boots, and Aer Lingus, Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.
Comments
No1gr8 - 10 months ago
Interesting how a private company would've been hauled into a congressional interrogation, but states are like change your password and watch your credit report, have a great day.