Oregon Department of Transportation

The Oregon Department of Transportation (ODOT) is a state agency headquartered in the United States, which incorporates the Office of Motor Vehicles, the entity responsible for issuing driver's licenses and state identification cards. This core function involves the collection, maintenance, and security of extensive personal data for Oregon residents, establishing ODOT as a critical steward of citizen information within the state's administrative framework. The scale of this responsibility is quantified by the 2023 data breaches, which compromised the personal records of approximately 3.5 million individuals holding Oregon-issued driver's licenses or ID cards, representing a significant portion of the state's population. This incident confirms ODOT's substantial public-facing footprint in managing transportation credentials and associated sensitive data. The nature of the compromised information, ranging from publicly available details to highly sensitive identifiers like Social Security numbers, further illustrates the breadth of data under the agency's purview. Consequently, ODOT operates within a high-risk environment where the security of third-party software directly impacts the privacy of millions of citizens.

In May and June 2023, ODOT experienced two closely related security incidents stemming from a global cyberattack that exploited a zero-day vulnerability in the MOVEit Transfer file-sharing system. The Clop ransomware gang claimed responsibility for these attacks, which resulted in the theft of sensitive personal information, including names, addresses, Social Security numbers, and driver's license numbers. The first breach on June 1, 2023, directly impacted ODOT, while a preceding incident on May 27, 2023, targeted the Oregon Office of Motor Vehicles, a division within the department. These events positioned ODOT as a notable victim in a widespread supply-chain attack, highlighting the severe consequences of reliance on external software vendors. In the aftermath, the agency engaged third-party security specialists to investigate and contain the breach and promptly notified law enforcement, adhering to established incident response protocols. The dual breaches underscore the persistent threat posed by sophisticated ransomware groups to government entities that manage large repositories of personal data, where a single vulnerability can lead to the exposure of millions of records. This experience reflects the broader cybersecurity challenges facing public sector organizations tasked with safeguarding citizen information against evolving digital threats.