The Oregon Department of Motor Vehicles confirmed Thursday that an estimated 3.5 million driver’s license and identification card files were compromised when the agency was hacked two weeks ago.
Agency spokesperson Michelle Godfrey said Thursday that the agency realized on Monday — four days ago — that the breach had extended to about 90% of the state’s driver’s license and ID card files.
The Oregonian/OregonLive first made inquiries about the security breach on Wednesday; DMV officials took nearly a day to respond with answers. Godfrey said the agency planned to wait until Friday to go public because officials are still preparing agency employees for how to respond to Oregonians’ questions and concerns about how to protect themselves.
Godfrey advised the public to monitor credit reports for signs of fraudulent activity.
Godfrey said state officials “became aware” on June 1 that the agency’s system had been hacked. Two hours later, the systems were “locked down,” she said.
“But we didn’t have any information about what data may have been affected at that time,” she said. “It’s taken days of analysis” to determine that the hack compromised the state’s driver license and ID records.
“That took it to a whole new level,” she said.
After the news organization’s inquiry, the Department of Transportation issued a press release saying the agency was among “many organizations” affected by the breach as a result of a “global hack of the data transfer software MOVEit Transfer.”
“Sensitive personal information” on millions of holders of driver’s licenses and ID cards were compromised, the agency said.
The agency has used the popular file sharing tool since 2015. On June 1, the Cybersecurity and Infrastructure Security Agency issued “a zero-day vulnerability alert” that said the software had a “vulnerability which could allow an attacker to ‘take over an affected system.’”
A third-party security specialist determined that multiple files had been “accessed by unauthorized actors” before the agency received the official alert.
“We do not have the ability to identify if any specific individual’s data has been breached,” the agency said in a statement. “Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach.”
The agency issued the following guidance for people who think they have been affected:
Under federal law, you have the right to receive, at your request, a free copy of your credit report every 12 months from each of the three consumer credit reporting companies. A credit report can provide information about those who have received your credit history. You may request a free credit report online at www.annualcreditreport.com or by telephone at 1-877-322-8228.
When you receive your credit reports, check for any transactions or accounts that you do not recognize. If you see anything you do not understand, call the telephone number listed on the credit report or visit the Federal Trade Commission’s Web site on identity theft at http://www.consumer.gov/idtheft/. Additionally, you may wish to ask each of the three credit monitoring agencies to freeze your credit files. Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111; Experian: experian.com/help or 1-888-397-3742; TransUnion: transunion.com/credit-help or 1-888-909-8872.
For additional information, the agency suggests emailing AskODOT@odot.oregon.gov.
