Cyber Incident Victim: Oregon Department of Transportation

On or around May 27, 2023, the Clop ransomware operation initiated a worldwide hacking campaign by exploiting a previously unknown zero-day vulnerability in Progress Software’s MOVEit Transfer application, tracked as CVE-2023-34362. This secure file transfer system was used by numerous government entities, major businesses, and organizations globally. The Oregon Driver & Motor Vehicle Services (DMV), a division of the Oregon Department of Transportation (ODOT), was among the agencies impacted by this widespread attack. ODOT had utilized the MOVEit Transfer software since 2015 for the purpose of securely transferring files and data between business partners and customers.

The incident was detected and confirmed by the Oregon Department of Transportation on Monday, June 12, 2023. The investigation revealed that the attackers had successfully accessed data stored within the MOVEit Transfer system. The accessed data contained personal information for approximately 3.5 million Oregonians who possessed a state-issued identification card or driver's license. The Oregon authorities stated that they were not in a position to identify specific individuals whose information was accessed, and therefore advised all citizens to assume their personal data had been exposed to the cybercriminals.

The types of personal information exposed in the breach were not explicitly itemized by the Oregon DMV in its public statement. However, the agency did confirm that while much of the information was broadly available, some of it constituted sensitive personal information. This incident was part of a much larger pattern of attacks, as the same threat actor simultaneously breached the Louisiana Office of Motor Vehicles, which disclosed that exposed data likely included name, address, Social Security number, birth date, height, eye color, driver's license number, vehicle registration information, and handicap placard information.

The Clop ransomware group claimed responsibility for the global attacks on MOVEit Transfer servers. Following the breach, the group initiated extortion efforts by listing victim organizations on its data leak site starting Wednesday, June 14. However, no data from the Oregon or Louisiana DMVs was published at that time. The group had previously communicated to a news outlet that it would not attack military, children's hospitals, or government entities and claimed to have erased any data stolen from such organizations. Despite this claim, the Oregon DMV and Louisiana OMV advised residents to treat their data as being at risk, as there was no independent confirmation that the stolen data had been deleted and no guarantee it would not be sold to other threat actors or used in future extortion attempts.

In response to the breach, the Oregon DMV issued a public press release to notify residents of the incident. The agency did not offer specific credit monitoring or identity protection services but provided general guidance for all citizens to take precautions. The advised precautions included monitoring credit reports for signs of identity theft, remaining vigilant against targeted phishing attacks that might leverage the stolen personal information, and taking steps to protect their identities. The scale of the breach was significant, impacting nearly the entire population of Oregonians with a state-issued ID or driver's license, representing a substantial portion of the state's residents. The primary consequence was the potential exposure of sensitive personal data, creating a long-term risk of identity theft and fraud for millions of individuals. The incident also highlighted the systemic risk posed by vulnerabilities in third-party software solutions widely adopted by government agencies and large enterprises for critical business functions.