ODOT Data Accessed as Part of Global MOVEit Hack

Having trouble viewing this email? View it as a Web page.

Oregon Department of Transportation Data Accessed as Part of Global MOVEit Hack

Incident is part of international attack on third-party data transfer software MOVEit. BBC, British Airways, and the government of Nova Scotia were among the first big-name victims in hack.

June 15, 2023

For more information, contact Michelle Godfrey, 503-945-5270

SALEM – The Oregon Department of Transportation is among many organizations affected by a data breach inflicted by a global hack of the data transfer software MOVEit Transfer. This ODOT data includes personal information for approximately 3.5 million holders of Oregon ID or driver’s licenses.

Since 2015, ODOT has used MOVEit Transfer, a popular file sharing tool created and supported by Progress Software Corp that allows organizations to securely transfer files and data between business partners and customers. On Thursday, June 1, 2023, the Cybersecurity and Infrastructure Security Agency issued a zero-day vulnerability alert stating that PSC had released a security advisory for MOVEit Transfer, and that the software had a vulnerability which could allow an attacker to “take over an affected system.”

We moved immediately to secure our systems and are confident that they are working safely.

ODOT worked closely with state cyber security services and engaged a third-party security specialist for analysis. Our analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before we received the security alert.

On Monday, June 12, ODOT confirmed that the accessed data contained personal information for approximately 3.5 million Oregonians. While much of this information is available broadly, some of it is sensitive personal information.

We do not have the ability to identify if any specific individual’s data has been breached. Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach. We recommend individuals take precautionary measures to protect themselves from misuse of this information, such as accessing and monitoring personal credit reports.

If you think you may have been affected, here’s what you should do now:

Under federal law, you have the right to receive, at your request, a free copy of your credit report every 12 months from each of the three consumer credit reporting companies. A credit report can provide information about those who have received your credit history. You may request a free credit report online at www.annualcreditreport.com or by telephone at 1-877-322-8228. 

When you receive your credit reports, check for any transactions or accounts that you do not recognize. If you see anything you do not understand, call the telephone number listed on the credit report or visit the Federal Trade Commission’s Web site on identity theft at http://www.consumer.gov/idtheft/. Additionally, you may wish to ask each of the three credit monitoring agencies to freeze your credit files. 

For information, you can reach out to Ask ODOT, your first point of contact for finding information, services or resolving issues with ODOT. They can be reached by email at AskODOT@odot.oregon.gov.

ODOT has notified law enforcement. Our work to understand the full impact of this incident is ongoing.  As we learn more, affected parties will be notified as required.