SALEM, Ore. (KGW)— A data breach discovered Monday may have compromised Oregon Department of Transportation records that include personal information for about 3.5 million Oregonians, ODOT announced Thursday.
News of the hack was first reported by The Oregonian, followed by a news release from ODOT. The agency did not say why it waited until Thursday to issue a news release about the hack.
ODOT said the data breach stemmed from a global hack of a data transfer software platform called MOVEit Transfer, which ODOT has used since 2015 to securely move files between business partners and customers.
The U.S. Cybersecurity and Infrastructure Security Agency issued a zero-day vulnerability alert on June 1, ODOT said, warning that a vulnerability had been discovered in MOVEit Transfer that could allow attackers to take over affected systems.
ODOT said it immediately moved to secure its systems, but after working with state and third-party cyber security services, the agency learned that multiple files shared over MOVEit had been accessed by unauthorized parties.
The agency learned on Monday that the accessed data included personal information for about 3.5 million people who hold Oregon driver’s licenses or state ID cards. Most of it is information that is broadly available, ODOT said, but some of it is sensitive personal information.
ODOT said it can’t identify whether a specific person’s data was breached, but that anyone with an active Oregon ID or driver’s license should assume that their information was part of the breach and should take precautionary measures such as monitoring their personal credit reports.
The Oregonian reported that an ODOT spokesperson said the hack compromised data from an estimated 90% of state-issued licenses and ID cards in Oregon.
The MOVEit hack has impacted a wide range of big-name companies and government organizations, ODOT said, including the BBC, British Airways and the government of Nova Scotia.
© 2024 KOBI-TV NBC5. All rights reserved unless otherwise stated.