Both the Oregon and Louisiana departments of motor vehicles have become victims of the MOVEit hack and millions of drivers and vehicle owners have had their personal information stolen.
Onur Demirkol reports that the Oregon DMV fell prey to the MOVEit hack:
An estimated 3.5 million driver’s license and identity card details were exposed when the organization was hacked two weeks ago, the Oregon Driver and Motor Vehicle Services stated on Thursday. The Oregon DMV data breach might be dangerous for many as they have lost their personal information to possible bad actors. If you are one of them, better contact authorities for an official answer.
The reporter’s recommendation to contact the authorities is somewhat contradicted by the state, though. In a notice by the state, they say, in part:
We do not have the ability to identify if any specific individual’s data has been breached. Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach. We recommend individuals take precautionary measures to protect themselves from misuse of this information, such as accessing and monitoring personal credit reports.
The state’s full notice can be found here. It does not list all the data types that may have been accessed or acquired.
Under Oregon law, some driver information is actually a public record — like an Oregonian’s name, address, phone number, and driver’s record. And under Oregon law, the state can, and actually does, sell that information to certain types of entities. So could criminals set up a fake private investigation service to buy data from the state that could be used in conjunction with the data that has been hacked? Yes, and hopefully the states will be extra diligent about checking the credentials of any entities that apply to purchase public records data, but even without that data, this is a breach where data may be misused.
Louisiana has also been affected by the breach. The Louisiana Office of Motor Vehicles (OMV) issued a press release that says, in part:
There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack. The cyber attackers have not contacted state government. But all Louisianans should take immediate steps to safeguard their identity.
OMV believes that all Louisianans with a state-issued driver’s license, ID, or car registration have likely had the following data exposed to the cyber attackers:
- Name
- Address
- Social Security Number
- Birthdate
- Height
- Eye Color
- Driver’s License Number
- Vehicle Registration Information
- Handicap Placard Information
Gov. John Bel Edwards met with the Unified Command Group at 11 a.m. Thursday to be briefed on the incident, where he instructed the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP), Office of Motor Vehicles (OMV), Louisiana State Police (LSP), and the Office of Technology Services (OTS) to act to inform Louisianans of the breach and their best next steps as soon as possible.
Read more of the press release and recommendations at Louisiana’s Warned of Data Leak from Office of Motor Vehicles.
Update: Louisiana believes about 6 million driver’s license and other OMV records were involved.