Millions of Louisiana residents targeted in massive cyberattack
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Everyone with a Louisiana driver's license or state ID likely had their personal information exposed in a massive cyberattack that has punctured agencies across the country.
- State officials are encouraging everyone to take protective measures.
Driving the news: Cyberattackers breached MOVEit, which is one of the vendors for Louisiana's Office of Motor Vehicles, officials say. About 6 million records were compromised in Louisiana, but it's not clear whose information or how much was actually stolen.
Why it matters: Identity theft affects millions of people every year and can have profound consequences for victims.
- You can have your bank accounts wiped out and credit histories ruined. Some people, the U.S. Department of Justice says, have even been arrested for crimes they did not commit as a result of identity theft and fraud.
Zoom out: MOVEit is a data transfer service that the U.S. government and many companies use to send large files.
- The global hack also hit Oregon's driver's license data, in addition to compromising information at Shell, the U.S. Department of Energy and other businesses, universities and agencies.
What he's saying: Leaders don't believe Louisiana was the primary target of the hackers, says Casey Tingle, director of the Governor's Office of Homeland Security and Emergency Preparedness.
- No other state agencies appear to have data compromised, Tingle said, but the investigation is ongoing.
- Louisiana is working with the FBI and the federal Cybersecurity and Infrastructure Security Agency in the aftermath of the breach.
Catch up quick: A senior federal official attributed some of the attacks to the Russia-linked Clop ransomware gang, which has a history of targeting file-transfer tools, writes Axios' Sam Sabin.
- Progress, the developer of MOVEit, has been notifying customers about a pair of severe security flaws in its file-transfer tool for weeks.
- The company rolled out two different patches to fix the issue. Louisiana officials say they have now updated their software and are taking other unspecified protective measures.
Zoom in: Everyone with a Louisiana-issued driver's license, ID or car registration likely had the following data exposed during the hack:
- Name, address, social security number, birthdate, height, eye color, driver's license number, vehicle registration information and handicap placard information.
- Of note: Exposure doesn't necessarily mean that information was stolen.
Threat level: It's unclear what the hackers plan to do with the Louisiana data.
- State leaders say they haven't been contacted for ransom.
- There's also no indication the data has been "sold, used, shared or released," leaders say.
- CISA told reporters Thursday it isn't aware of any instance of hackers trying to extort federal agencies to get them to pay to prevent a leak of stolen data either.
What's next: All Louisianans are encouraged to take the following steps.
- Freeze your credit to prevent unauthorized new accounts or loans.
- Change all passwords and multifactor authentication.
- Protect your tax refund and returns with the IRS.
- Check your Social Security benefits.
- Report suspected identify theft.
Our thought bubble: "Officials across the U.S. are likely going to be uncovering new breaches related to the MOVEit vulnerability for weeks to come, and preventing breaches will largely depend on organizations taking time to figure out if they're affected, installing patches and then investigating any signs of intrusions on their networks," says Axios' Sam Sabin.
Go deeper: The state has created a website with more details about what to do.