Hand pointing at screen with warning alert showing cyber attack on Oregon DMV and Louisiana OMV driver's license

Nearly 10 Million Driver’s License Holders Exposed in the Oregon DMV and Louisiana OMV Cyber Attack

An Oregon DMV and Louisiana OMV cyber attack has leaked sensitive data of nearly 10 million driver’s license holders.

The breach attributed to the Russian-linked Clop ransomware gang exploited a zero-day vulnerability CVE-2023-34362 in the MOVEit Transfer secure file transfer service used by the two DMVs.

The data breach has impacted possibly hundreds of organizations globally, including several US federal agencies.

Louisiana OMV cyber attack impacted all the state’s ID holders

According to Louisiana OMV (Office of Motor Vehicles), the cyber attack impacted all holders of the state’s driver’s license, ID, or car registration numbers.

Data exposed includes the victims’ names, addresses, Social Security Numbers, dates of birth, height, eye color, driver’s license numbers, vehicle registration information, and handicap placard information.

The Louisiana OMV cyber attack impacted at least 6 million driver’s license holders. The state of Louisiana intends to notify all potential victims.

Meanwhile, Louisiana OMV found no evidence suggesting that the threat actor sold, used, shared, or released the exposed data. The Clop ransomware gang also promised to delete all personal information stolen from government agencies.

Louisiana’s Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) has launched a dedicated website to help the state’s driver’s license holders mitigate the impacts of the cyber attack.

GOHSEP advised the potential victims to take additional steps to protect themselves from online identity theft by resetting all online accounts’ passwords, including banking, email, and social media, and monitoring their credit files.

Credit reporting agencies also allow you to freeze your credit file at no cost to prevent fraudsters from obtaining credit cards or taking loans using your personal information.

Additionally, potentially impacted driver’s license holders should obtain an “Identity Protection Pin” from the Internal Revenue Service (IRS) to prevent cyber criminals from fraudulently filing tax returns or receiving tax refunds on the victims’ behalf.

“If you suspect any abnormal activity involving your data, including financial information, contact the Federal Trade Commission at 1-877-FTC-HELP or visit www.ReportFraud.FTC.gov immediately,” Louisiana OMV advised.

Oregon DMV cyber attack exposed 3.5 million driver’s license holders

Oregon DMV disclosed that the MOVEit attack exposed 3.5 million individuals exposing their permits, driver’s licenses, and ID cards.

“If you have an active Oregon driver’s license, permit, or ID card, you should assume your personal information was exposed.  We recommend you take steps now to secure your information to avoid misuse,” Oregon DMV’s MOVEit data breach notification stated.

Other details exposed in the Oregon DMV data breach include the driver’s license holders’ names, home and mailing addresses, and the last four digits of their social security numbers.

Although the breach did not expose banking, credit card, or financial information, Oregon DMV advised the state’s driver’s license holders to monitor and possibly freeze their credit files to prevent identity theft.

An expanding list of MOVEit cyber attack victims

The Louisiana OMV and Oregon DMV cyber attacks are part of a wider breach impacting hundreds of entities globally.

The Cybersecurity and Infrastructure Security Agency (CISA) disclosed it was supporting several federal agencies impacted by the MOVEit cyber attack, including the US Department of Energy.

Other organizations impacted by the MOVEit cyber attack include:

  • The Canadian regional government of Nova Scotia
  • The US states of Missouri, Illinois, and Minnesota
  • The  American Board of Internal Medicine
  • Extreme Networks
  • Shell
  • Zellis, which also impacted the BBC and British Airways
  • U.K. drugstore Boots
  • Johns Hopkins University
  • The University of Rochester
  • University of Georgia and the University System of Georgia

According to Brett Callow, a Threat Analyst at Emsisoft, at least 63 organizations have confirmed MOVEit data breaches.

“Citizens have a choice to walk away from companies that failed to protect their data,” said Dror Liwer, co-founder of Coro. “When it comes to government agencies, people don’t have that choice, which is all the more reason for such agencies to take confidential information even more seriously than the private sector.”

The Russian-speaking gang listed dozens of allegedly breached organizations but avoided mentioning Louisiana OMV, Oregon DMV, and other federal and state agencies. The group has threatened to leak the stolen data unless a ransom is paid. However, no federal or state agency has confirmed receiving any ransom demands.