Cyber Incident Victim: Louisiana Office of Motor Vehicles

A major cyber attack impacted the Louisiana Office of Motor Vehicles (OMV) on or around May 28, 2023. The incident was not a direct breach of state systems but was instead part of a larger, unprecedented international data breach involving the MOVEit file transfer service. MOVEit is an industry-leading third-party service used globally to send large files. The Louisiana OMV utilized this service, and its data was among the sensitive information exposed in the widespread attack. Reports of newly discovered data exposures from this major cyber attack were rapidly emerging at the time.

The specific details of how the attackers breached the MOVEit software were not disclosed by the state. There was no indication that the cyber attackers had contacted state government officials. Furthermore, state authorities reported there was no evidence at the time that the attackers had sold, used, shared, or publicly released the specific OMV data obtained from the MOVEit attack. The full scope of the incident was still being assessed, and the number of government entities, major businesses, and organizations affected was still undetermined.

The data exposure was believed to be extensive. The OMV indicated that all Louisianans with a state-issued driver’s license, identification card, or car registration had likely had their personal data exposed to the cyber attackers. The precise types of data elements compromised were not explicitly listed in the initial announcement.

Governor John Bel Edwards was briefed on the incident during a meeting with the Unified Command Group at 11:00 a.m. on Thursday, May 31, 2023. Following this briefing, the Governor instructed multiple state agencies to act immediately. These agencies included the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP), the Office of Motor Vehicles (OMV) itself, the Louisiana State Police (LSP), and the Office of Technology Services (OTS). The primary directive was to inform the public of the breach and to communicate the best recommended next steps for citizens to protect themselves as soon as possible.

The state's response focused on public communication and guidance. A press release was issued on May 31, 2023, to officially notify residents of the breach. The state recommended that all Louisianans take urgent action to safeguard their identities. The recommended steps included placing a freeze on credit reports with the three major credit bureaus—Equifax, Experian, and TransUnion—to prevent unauthorized new account openings or loans. Citizens were also advised to review their credit reports for any suspicious activity. As an additional precaution, individuals were urged to change passwords for all online accounts, including banking, social media, and healthcare portals, and to utilize multi-factor authentication where available.

Further guidance involved protecting federal tax information. The state advised residents to request an Identity Protection PIN from the Internal Revenue Service to prevent others from filing fraudulent returns or receiving their tax refunds. For those eligible for or receiving Social Security benefits, including disability, the recommendation was to register for an online account at ssa.gov to prevent benefit theft. Citizens were instructed to report any suspected identity theft to the Federal Trade Commission immediately. The State of Louisiana directed individuals to additional resources for information, including nextsteps.la.gov and IdentityTheft.gov, and announced that more information would be issued in the coming days.

To manage public and media inquiries, GOHSEP Director Casey Tingle scheduled a press conference for 10:30 a.m. on June 1, 2023, at the GOHSEP Press Room in Baton Rouge. The conference was intended to provide officials a platform to answer questions from the media regarding the incident and the state's response. The incident was characterized as a significant event requiring a coordinated statewide response to mitigate potential identity theft risks for a vast portion of the state's population. The breach highlighted the risks associated with relying on third-party vendors for critical data transfer operations and the cascading effects a single vulnerability in a widely used software product can have on numerous organizations and millions of individuals. The full impact and long-term consequences of the data exposure for Louisiana residents remained to be fully understood in the immediate aftermath of the announcement.