Data breaches have impacted millions of individuals in Louisiana and Oregon, as well as the US federal government, according to state agencies. The cyberattack has affected 3.5 million residents of Oregon holding driver’s licenses or state ID cards, and an unspecified number of individuals in Louisiana. Casey Tingle, a senior official in the Louisiana governor’s office, revealed that over 6 million records were compromised, but clarified that this figure is duplicative as some people possess both vehicle registrations and driver’s licenses.
Although no specific perpetrator was identified by the states, federal officials have linked the broader hacking campaign to a Russian ransomware group that exploited a vulnerability in the widely-used file-transfer software MOVEit, developed by Massachusetts-based company Progress Software. Hundreds of organizations worldwide have likely experienced data exposure as a result of this flaw.
Several US federal agencies, such as the Department of Energy and the US Office of Personnel Management, have also been affected by the breach. However, none of these incidents have been considered severe, and US officials have characterized the cyberattack as an opportunistic, financially-driven hack that has not disrupted agency services.
The list of confirmed victims expanded on Friday after multinational consulting firm Aon announced that hackers had accessed files relating to “a select number of our clients” through the MOVEit breach. Other major corporations, including British Airways and the BBC, as well as universities like the University of Georgia, have also been impacted.
In Oregon and Louisiana, the breached data from motor vehicle departments may consist of Social Security numbers and driver’s license numbers. Consequently, state authorities are advising residents on how to safeguard themselves against identity theft. Louisiana Gov. John Bel Edwards’ office stated that there is no evidence of the stolen data being sold or released, nor has the state government been contacted by the hackers.
As the search for signs of stolen data continues, Munish Walther-Puri, senior director of critical infrastructure at consultancy Exiger, stressed the importance of considering business relationships alongside technical and security data: “We can’t just rely on […] vulnerable [software installations], but also […] contracts, for example – to really understand how bad this is, and how bad it’s going to get.”
US cybersecurity officials have instructed federal agencies to implement updates from Progress Software. However, the recovery effort was complicated on Thursday by the discovery of an additional vulnerability in the software, which the company is working to address. The hackers, known as Clop, typically demand multimillion-dollar ransoms but have not yet made any demands to US or state governments. Instead, they appear to be targeting companies that may be more likely to pay, adding alleged victims to their dark-web site to apply pressure.
The OPM is among several federal agencies affected by the extensive cyberattack, according to current and former US officials who spoke with CNN on Friday. Investigations are ongoing to determine the extent of data impacted within the OPM’s custody. The agency oversees human resources, retirement, and other services for the vast federal bureaucracy. A spokesperson for the agency declined to comment when contacted by CNN on Friday evening.
In a statement this week, National Security Council spokesperson Adam Hodge emphasized the Biden administration’s commitment to responding quickly to cyber incidents. He referred to a recent public advisory from federal agencies aimed at assisting affected companies and government agencies in identifying compromises and implementing solutions.
An individual with direct knowledge of negotiations between Clop and its victims revealed that the hackers had demanded over $100 million from one corporate victim, an amount that was promptly dismissed. The source, who requested anonymity due to not being authorized to speak to the press, described the hackers as being “extremely aggressive” in their attempts to extort victims.
A senior US official told reporters on Thursday that “several hundred” companies and organizations in the US may be affected by the hacking campaign. This situation poses another challenge to the US government’s capacity to address a cyber incident that could take months to fully comprehend.
However, following a surge in ransomware attacks in 2021, preparations for potential Russian cyberattacks surrounding the Kremlin’s full-scale invasion of Ukraine, and other significant cyber threats, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have become better equipped to manage the influx of notifications and provide assistance, said Jeff Greene, former senior cyber official at the National Security Council. Now serving as the senior director of the Aspen Institute’s cybersecurity program, Greene shared his firsthand experience of witnessing these agencies improve their response capabilities.