The Oregon Department of Transportation (ODOT) recently announced its involvement in a global hack that has affected numerous organizations using the software MOVEit.
With personal information of about 3.5 million Oregon residents at risk, ODOT is advising individuals to take immediate action to protect themselves from potential identity theft.
Oregon DMV Records At Risk: The hack may have exposed names, addresses, license ID numbers, and the last four digits of social security numbers. Although financial information was not compromised, ODOT recommends that residents monitor their credit and freeze their credit files.
However, ODOT staff has openly admitted that more information including entire Social Security Numbers (SSN) may have been compromised, as seen here in their public announcement. Furthermore, wouldn’t vehicle sale/purchase records via title transfers and SSNs be considered financial information? (video cued to SSN questions)
Experts suggest additional measures to safeguard personal information, such as changing passwords, avoiding public WiFi, and considering password changes for home routers.
Potential Implications of the Data Breach: ODOT acknowledges that it is unclear which individuals were affected or what specific data was accessed by hackers. However, the exposed information could be used maliciously to apply for loans, lines of credit, government identification documents, benefits, or even commit criminal offenses using stolen identities. The breach raises concerns about the creation of synthetic identities or altering personal information to evade law enforcement.
Immediate Steps to Protect Personal Information: To mitigate the risk of identity theft, ODOT advises residents to monitor their credit and consider freezing their credit files. Monitoring credit reports allows individuals to detect any suspicious activity promptly. Freezing credit files restricts access to credit reports, making it more challenging for hackers to use stolen information for unauthorized purposes. Additionally, changing passwords, avoiding public WiFi networks, and updating passwords for home routers can enhance personal online security.
Reporting Identity Theft or Fraud: While ODOT has not received any reports of identity theft or fraud related to the hack, yet, residents are urged to contact credit reporting agencies if they notice any suspicious activity. Credit reporting agencies can provide instructions on dealing with potential identity theft. If identity theft or fraud is confirmed, individuals should report it to the police as criminal activity. Once law enforcement is involved, the DMV can assist in obtaining a new ID card if necessary.
Obtaining Credit Reports: Oregon residents can request a free copy of their credit report from annualcreditreport.com. Reviewing credit reports allows individuals to identify any unauthorized or suspicious activity promptly and take appropriate action.
Security Measures and Future Steps: ODOT has implemented security patches to address vulnerabilities in the MOVEit software and restore the system’s security. The agency will continue evaluating the situation to determine the best course of action moving forward. ODOT affirms that it will not entertain ransom requests, adhering to state policy.
More Than Oregon DMV: According to SecurityScorecard, a cybersecurity company, they discovered 2,500 vulnerable MOVEit servers across 790 organizations, which included 200 government agencies. However, they were unable to provide a breakdown of these agencies by country.
According to GovSpend’s data, several government agencies, such as NASA, the Treasury Department, Health and Human Services, and various branches of the Defense Department, have procured the MOVEit software.
The cyber attacks have impacted not only federal agencies but also multiple state governments and higher education institutions across the US Johns Hopkins University confirmed that the MOVEit attacks resulted in the theft of “sensitive personal and financial information.”
Withholding Information: It’s also important to note that publishing articles on weekends or updating them does not necessarily imply an attempt to bury information, because News organizations continuously update articles to provide the most accurate and up-to-date information to their readers. However, withholding the information about the breach for over 2 weeks is also very concerning.
Potential Risk: Given the reported cyber attacks on government agencies and institutions, concerns regarding the extent of data accessed by hackers are understandable. While specific details about the stolen information may not have been publicly disclosed, the reported theft of “sensitive personal and financial information” from Johns Hopkins University indicates a much larger potential risk.
Conclusion: The ODOT hack has put the personal information of millions of Oregon residents at risk. With the potential for identity theft, individuals are urged to take immediate steps to protect themselves, including monitoring credit, freezing credit files, and implementing additional security measures. While ODOT has not received reports of identity theft or fraud, residents should remain vigilant and report any suspicious activity to credit reporting agencies and law enforcement if necessary. By being proactive in monitoring personal information and taking appropriate action, individuals can mitigate the potential impact of the data breach.