Cyber Incident Victim: Louisiana Office of Motor Vehicles

On or around June 12, 2023, the Louisiana Office of Motor Vehicles confirmed that it had been impacted by a significant data breach. The breach was part of a wider, global series of cyberattacks targeting the MOVEit Transfer software, a secure file transfer tool developed by Progress Software Corp. The Louisiana OMV was one of numerous government entities, major businesses, and organizations affected by this unprecedented MOVEit data breach. The attacks were conducted by the Clop ransomware operation, which had begun exploiting a previously unknown zero-day vulnerability in MOVEit Transfer servers worldwide starting on May 27, 2023. This vulnerability is tracked as CVE-2023-34362.

The Louisiana OMV announced that it believed all Louisianans with a state-issued driver's license, identification card, or car registration had likely had their data exposed to the threat actors. The personal information exposed in the breach included name, address, Social Security number, birth date, height, eye color, driver's license number, vehicle registration information, and handicap placard information. The agency stated there was no indication that the Clop ransomware operation had used, sold, shared, or released any of the stolen data from this incident. This statement was based on a public promise made by the Clop gang, which had communicated via email earlier in the month that it would not attack military, children's hospitals, or government entities and claimed that any data stolen from such targets had been erased.

Despite this claim, the Louisiana OMV advised millions of residents to consider their data at risk. The agency recommended that impacted individuals take steps to protect their identity, which included resetting passwords, placing a credit freeze on their bank accounts, and reporting any suspicious activities to the authorities and their financial card issuers. The scale of the breach meant that virtually every individual who had interacted with the Louisiana OMV was potentially affected, necessitating a broad public warning.

Concurrently, the Oregon Driver & Motor Vehicle Services (DMV), a division of the Oregon Department of Transportation (ODOT), disclosed a nearly identical breach. ODOT had also used the MOVEit Transfer software since 2015 to securely transfer files and data between business partners and customers. On Monday, June 12, ODOT confirmed that the data accessed by the attackers contained personal information for approximately 3.5 million Oregonians. The authorities in Oregon stated that while much of the information was broadly available, some of it was sensitive personal data. Similar to Louisiana, the Oregon DMV was unable to identify specific victims from the vast trove of stolen data and therefore advised all citizens to take precautions and assume their personal data had been exposed to cybercriminals.

The attacks leveraged a critical security flaw in the MOVEit Transfer application to gain unauthorized access to systems and exfiltrate data stored on them. The Clop ransomware group did not deploy ransomware in these specific incidents against the state agencies; the primary goal appeared to be mass data theft for extortion purposes. On the Wednesday following the confirmations by Louisiana and Oregon, the Clop operation began listing breached companies on its data leak site as part of its extortion campaign. However, no stolen data from these government entities had been leaked at the time of the reports. The status of the data stolen from the Louisiana and Oregon motor vehicle agencies remained uncertain, as it was too soon to tell if the extortionists would keep their promise to delete stolen government data.

The immediate impact of the incident was the exposure of highly sensitive personal information for millions of residents across both states. For Louisiana, the breach impacted nearly every citizen with a state-issued identification, while in Oregon, the impact was estimated at 3.5 million individuals. The type of data stolen is particularly valuable for identity theft and fraud, including Social Security numbers and driver's license numbers. The potential consequences for affected individuals include financial fraud, targeted phishing attacks, and other forms of identity theft.

The response from both state agencies was primarily focused on public notification and advising citizens on protective measures. Neither agency offered specific credit monitoring or identity protection services directly in the initial announcements, instead directing individuals to take proactive steps themselves. The technical response involved confirming the scope of the breach, which was facilitated by the software vendor, Progress Software, which had provided a security update to patch the vulnerability. The widespread nature of the attacks meant that numerous other organizations also disclosed breaches, including US federal agencies, the governments of Nova Scotia and Missouri, the University of Rochester, and companies like Zellis, which led to breaches at its clients including the BBC, Boots, and Aer Lingus.

The long-term implications of the incident hinge on the actions of the threat actors. Even if the Clop group does not publicly leak or directly use the stolen government data, there remains a possibility that it could be sold to other threat actors on underground forums. Therefore, the official guidance for all impacted people in Oregon and Louisiana was to treat their data as being at risk, monitor their credit reports for signs of identity theft, and remain vigilant against possible targeted phishing campaigns. The incident underscored the systemic risk posed by a single vulnerability in a widely used software product, impacting a diverse range of organizations globally and compromising the personal data of millions of individuals. The confirmations by Louisiana and Oregon were part of a continuous stream of disclosures from victims of the MOVEit attacks throughout June 2023.