Oregon Department of Corrections data breach exposes personal information of 861 individuals

The Oregon Department of Corrections (ODOC), a state government agency responsible for overseeing and managing adult correctional facilities and related services across Oregon, has disclosed a data breach that inadvertently exposed the personal information of 861 individuals following an email error. Officials confirmed that a staff member accidentally sent an internal spreadsheet to two individuals seeking to visit one of the state’s correctional institutions. The breach, ODOC emphasized, was unintentional and not the result of a cyberattack.

The mis-mailing incident occurred on August 28 and 29, 2024. It wasn’t until September 9, however, that the department became aware of the issue, prompting an immediate response. ODOC coordinated with both recipients and state-side cybersecurity teams to delete the emails and attachments from the recipients’ and state email systems, achieving full deletion by September 16.

The compromised data included each individual’s name, driver’s license or state identification number, date of birth, and FBI number—key details that ODOC had collected through its routine background checks. Importantly, Social Security numbers and financial information were not included in the breach, minimizing potential risks associated with identity theft. Nevertheless, ODOC is providing 12 months of complimentary identity theft resolution services to those affected to mitigate any residual concerns about data misuse.

In compliance with the Oregon Consumer Information Protection Act, ODOC reported the breach to the Oregon State Police and the Cyber Security Services (CSS) team. The agency is actively collaborating with CSS and internal teams to strengthen protocols and avoid future mishaps of this nature. Measures under review include both training enhancements and more stringent access controls for sensitive data.