The personal details of millions of Oregon and Louisiana residents have been exposed after a notorious ransomware gang breached the states' DMV services using a known vulnerability in a popular file-transfer service.
On Thursday, Oregon’s Department of Transportation warned that hackers had breached the state agency’s systems to steal personal details on 3.5 million ID and driver's license holders.
Louisiana’s Office of Motor Vehicles issued a similar alert, saying that “all Louisianans with a state-issued driver’s license, ID, or car registration” had their data exposed to the hackers. Compromised details include Social Security number, address, and driver’s license number.
The departments were breached because both use MOVEit, a file-transfer software from the company Progress. Last month, ransomware gang CL0P began exploiting a newly uncovered zero-day vulnerability in the software to steal data from MOVEit databases.
The attacks mean CL0P could potentially breach hundreds of companies and organizations that rely on the file-transfer software. On Thursday, US cyber authorities warned that several federal government agencies had also been compromised, without providing more details.
The fallout could ensnare numerous consumers across the US, especially since CL0P says it will post the stolen information on its dark web site unless it receives a payment. Stolen ID numbers and other personal details can make it easy for fraudsters to commit identity theft scams on vulnerable victims.
The US Cybersecurity and Infrastructure Security Agency (CISA) has been urging companies to patch the MOVEit flaw since it was first detected. But the damage appears to be done. CL0P posted the names of dozens of organizations it allegedly breached using the vulnerability.
That said, the CL0P group is indicating it's deleting data stolen from US government agencies. "WE DON'T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL," the gang wrote on its site, probably in an attempt to avoid a harsh crackdown from the FBI. CL0P also refrained from identifying the Oregon or Louisiana DMVs as compromised organizations.
In the meantime, Oregon’s Department of Transportation is warning affected users to be on guard against cybercriminals potentially misusing their stolen personal details. For tips on protecting yourself from a data breach, check out our guide.