Louisiana and Oregon motor vehicle departments victimised by MOVEit Transfer hack, millions affected

The Louisiana Office of Motor Vehicles (OMV) and the Oregon Department of Transportation (ODOT) said they suffered data breaches as a result of the Clop ransomware group exploiting a zero-day vulnerability in the MOVEit Transfer web application.

The Louisiana Office of Motor Vehicles said via a press release that it is one of the many government entities that were affected by the global cyber security incident resulting from the MOVEit data breach. Like other affected organisations, OMV used the MOVEit Transfer web application to securely transfer files within departments.

“There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared, or released the OMV data obtained from the MOVEit attack. The cyber attackers have not contacted the state government. But all Louisianans should take immediate steps to safeguard their identity,” OMV said.

OMV believes that all Louisianans with a state-issued driver’s license, ID, or car registration along with personal sensitive information have been affected in the data breach. The data breach also compromised Louisianans’ names, addresses, social security numbers, dates of birth, height, eye colour, handicap placard information, and more.

According to Casey Tingle, the Emergency Preparedness Director and the Governor’s Office of Homeland Security,  more than 6 million records in Louisiana have been compromised due to the security incident.

“That is duplicative because some people have both vehicle registration and driver’s license. The state of Louisiana, our data, doesn’t appear to be the focus of the attack, however everyone should take this seriously. This was an issue with a vendor widely utilized across both government and not government and private sector,” Tingle said.

The Oregon Department of Transportation issued a similar statement on 15th June, stating that it also uses the MOVEit application to securely send and receive files and was a victim of the cyber security incident.

“Hundreds of organizations in the United States and around the world were hit by this attack, and some Oregon DMV data was stolen. As soon as ODOT learned of the MOVEit vulnerability, we promptly initiated additional security measures to safeguard our systems,” ODOT said.

An internal investigation revealed that several files shared via MOVEit Transfer were already accessed by threat actors before the department received a security alert from Progress Software, the manufacturer of the MOVEit application.

ODOT added that around 3.5 million individuals who have Oregon IDs or driver’s licenses had their information compromised in the data breach.

“We do not have the ability to identify if any specific individual’s data has been breached. Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach.

“We recommend individuals take precautionary measures to protect themselves from misuse of this information, such as accessing and monitoring personal credit reports,” the department added.

The Clop ransomware gang, who claimed responsibility for exploiting a zero-day vulnerability in the MOVEit Transfer web application, earlier said that any government data that it stumbles upon during the data breach will be deleted. Now that several government departments have confirmed being affected by the global cyber attack, it remains to be seen if the group will act on its promise in the coming days.