Driver’s license data in the US states of Oregon and Louisiana has been exposed due to breaches in the popular file transfer software MOVEit. In Oregon, it was revealed that an estimated 3.5 million driver’s license and identification card files were exposed in a cyberattack on the Driver and Motor Vehicle Services agency. The breach was first discovered on June 1, and the agency immediately locked down their systems. However, it took further analysis to determine the full scope of the attack. In Louisiana, the Office of Motor Vehicles (OMV) and other government entities suffered a cyberattack, impacting all residents with a state-issued driver’s license, ID, or car registration. The compromised data includes personal information such as names, addresses, Social Security numbers, dates of birth, and driver’s license numbers.
The breaches in Oregon and Louisiana highlight the vulnerabilities of widely used software applications and the need for prompt patching. Cyber attackers often take advantage of the window of opportunity between the announcement of vulnerabilities and the application of patches. Organizations may prioritize critical patching lower or must wait for maintenance windows to apply patches, leaving their systems vulnerable to attacks. Dror Liwer, co-founder of cybersecurity company Coro, emphasizes the need for government agencies to take confidential information even more seriously than the private sector, as citizens don’t have the choice to walk away from agencies that fail to protect their data.
The University System of Georgia (USG) has also disclosed a data breach related to the MOVEit bug. Cybercriminals gained unauthorized access to the software systems of the USG and the University of Georgia, allowing them to view prohibited information contained in MOVEit repositories. The USG promptly applied newly-developed patches supplied by MOVEit developer Progress Software and initiated an investigation to assess the full impact of the breach. Universities are often targeted by cybercriminals due to the valuable research conducted within their institutions.
The data breaches in Oregon, Louisiana, and Georgia highlight the potential legal consequences for organizations that fail to adequately protect customer data. In New Hampshire, Harvard Pilgrim Health Care is facing a lawsuit from two residents who claim that the company neglected to adequately protect customer data following a ransomware attack. The plaintiffs argue that Harvard Pilgrim and its parent company, Point32Health, took too long to detect and disclose the breach. Similarly, Mercy Health in Iowa is facing potential class-action lawsuits for negligence and violation of data protection guidelines following a cyberattack. In the UK, law firm Barings Ltd. has initiated legal proceedings against Capita P.L.C. on behalf of clients concerned about the compromise of their personal data during a cyber attack.
These data breaches serve as a reminder for organizations to prioritize cybersecurity and promptly patch vulnerabilities in their systems. It also underscores the importance of individuals remaining vigilant against phishing scams, social media engineering, and other cyber threats. Immediate steps such as monitoring financial accounts, freezing credit accounts, and reporting suspicious activity are crucial in mitigating the potential damage caused by data breaches.