SALEM, Ore. — A data breach discovered Monday may have compromised Oregon Department of Transportation records that include personal information for about 3.5 million Oregonians, ODOT announced Thursday.
News of the hack was first reported by The Oregonian, followed by a news release from ODOT. The agency did not immediately say why it waited until Thursday to issue a news release about the hack.
ODOT learned on Monday that the accessed data included personal information for about 3.5 million people who hold Oregon driver's licenses or state ID cards. Most of it is information that is broadly available, ODOT said, but some of it is sensitive personal information.
The Oregonian reported that an ODOT spokesperson said the hack compromised data from an estimated 90% of state-issued licenses and ID cards in Oregon.
ODOT said it can't identify whether a specific person's data was breached, but that anyone with an active Oregon ID or driver's license should assume that their information was part of the breach and should take precautionary measures such as monitoring their personal credit reports.
What to do if your data is compromised
Oregonians who think they may have been affected should know that federal law gives them a right to receive a free copy of their own credit report every 12 months upon request from each of the three big consumer credit reporting agencies; Equifax, TransUnion and Experian.
A credit report can provide information about people or groups who have received a person's credit history. Reports can be requested at annualcreditreport.com or by calling 1-877-322-8228, ODOT said.
When the report arrives, check for any unrecognized transactions or accounts, and report anything suspicious by calling the number listed on the report or visiting the Federal Trade Commissions identity theft website at consumer.gov/idtheft.
You can also ask each of the three credit monitoring agencies to freeze your credit files, restricting access to only a limited number of entities — although you may need to undo the freeze later if you apply for a new loan or line of credit. A freeze can be requested using the following numbers or websites:
- Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111
- Experian: experian.com/help or 1-888-397-3742
- TransUnion: transunion.com/credit-help or 1-888-909-8872
ODOT can also provide more information to people who email AskODOT@odot.oregon.gov. ODOT has notified law enforcement and is still working to understand the full scope of the breach, the agency said.
Hack affects governments and companies worldwide
ODOT said the data breach stemmed from a global hack of a data transfer software platform called MOVEit Transfer, which ODOT has used since 2015 to securely move files between business partners and customers.
The U.S. Cybersecurity and Infrastructure Security Agency issued a zero-day vulnerability alert on June 1, ODOT said, warning that a vulnerability had been discovered in MOVEit Transfer that could allow attackers to take over affected systems.
ODOT said it immediately moved to secure its systems, but after working with state and third-party cyber security services, the agency learned that multiple files shared over MOVEit had been accessed by unauthorized parties.
The MOVEit hack has impacted a wide range of big-name companies and government organizations, ODOT said, including the BBC, British Airways and the government of Nova Scotia. The Louisiana DMV was also compromised, according to the Associated Press.
The Associated Press reported Thursday that multiple federal agencies including the U.S. Department of Energy were also compromised by the MOVEit breach, which is tied to a Russian cyber-extortion gang.