Malware
Data Breach Exposes Millions of Driver’s Licenses in Louisiana and Oregon
A data breach targeting the secure file transfer service, MOVEit, has compromised millions of Louisiana and Oregon state identification records. The breach was discovered by the security firm, Upguard, which found that a file transfer mode configuration error had left the data accessible to the public. The incident highlights the importance of secure data transfer protocols and the need for organizations to regularly audit their security measures.
IT Services in Louisiana and Oregon have warned that a data breach has resulted in the exposure of millions of driver’s licenses. The culprit is a ransomware gang that hacked their MOVEit Transfer security file transfer systems to steal the stored data.
The Clop ransomware operation conducted these attacks by exploiting a previously unknown zero-day vulnerability, tracked as CVE-2023-34362, on MOVEit Transfer servers worldwide since May 27th.
The attacks have led to data breaches worldwide, affecting companies, federal government agencies, and local state agencies.
Both the Louisiana Office of Motor Vehicles and the Oregon Driver & Motor Vehicle Services have confirmed using the MOVEit Transfer software, which was breached in these attacks.
Millions of Driver’s Licenses Stolen
The Louisiana Office of Motor Vehicles (OMV) issued a statement stating that they believe the data of all Louisianans with state-issued driver’s licenses, IDs, or car registrations has been exposed to the threat actors.
Louisiana’s Office of Motor Vehicles (OMV) is one of many government entities, major businesses, and organizations to be affected by the unprecedented MOVEit data breach,” explains an alert from the Louisiana OMV.
The OMV disclosed that those impacted likely had their names, addresses, social security numbers, birth dates, height, eye color, driver’s license numbers, vehicle registration information, and handicap placard information exposed. However, Clop has not used, sold, shared, or released any of the data, so it is possible that the stolen data may have been deleted as the ransomware actors promised in their announcement to delete any stolen government data.
“I want to tell you right away that the military, children’s hospitals, GOV etc like this we no to attack, and their data was erased,” the Clop gang told BleepingComputer in an email earlier this month.
Nonetheless, millions of Louisiana residents should still consider their data at risk and take necessary steps to protect their identity, reset their passwords, place a credit freeze on their bank accounts, and report any suspicious activities to the authorities and their card issuers.
The Oregon DMV released a statement stating that the MOVEit Transfer data breach impacted approximately 3,500,000 Oregonians with an ID or driver’s license.
“Since 2015, ODOT has used MOVEit Transfer, a popular file sharing tool created and supported by Progress Software Corp that allows organizations to securely transfer files and data between business partners and customers,” reads Oregon DMV’s press release.
“On Monday, June 12, ODOT confirmed that the accessed data contained personal information for approximately 3.5 million Oregonians. While much of this information is available broadly, some of it is sensitive personal information.”
The authorities in Oregon have stated that they are unable to identify specific victims, so all citizens are advised to take precautions and assume their personal data was exposed to cybercriminals.
While Clop started extorting victims of the MOVEit attacks by listing breached companies on the ransomware operation’s data leak site, no stolen data has yet to be leaked.
As both the Louisiana and Oregon DMV fall under the government category, it is too soon to tell if the Clop extortionists will keep their promise and delete stolen data. Even if this data is never used in extortion attempts, it is possible the data could be sold to other threat actors.
Therefore, all impacted people in Oregon and Louisiana should treat their data as at risk, monitor credit reports for identity theft, and remain vigilant against possible targeted phishing attacks.
Other organizations that have already disclosed MOVEit Transfer breaches include US federal agencies, Zellis (BBC, Boots, and Aer Lingus, Ireland’s HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.