Government agencies in at least five states have reported a confirmed or potential exposure to a global cyberattack by a ransomware group exploiting a recently discovered vulnerability in the popular file-transfer platform MOVEit.
In the past week, agencies in Minnesota, Illinois, Missouri, Louisiana and Oregon have disclosed that their files were breached by the ransomware group Cl0p. Millions of people have had their personal data disclosed after malicious actors associated with the group accessed the data at the agencies, including at least two motor-vehicle departments.
The Louisiana Office of Motor Vehicles was the latest to confirm its exposure to the hack, stating Thursday that “all Louisianans” with a driver’s license, other state-issued ID or vehicle registration were included. The exposed information includes names, dates of birth, Social Security numbers, license numbers and other personal details.
Gov. John Bel Edwards’ office said that as many as 6 million people were affected by the breach, CNN reported.
Meanwhile, the Oregon Department of Transportation revealed Friday that it, too, was compromised as part of the MOVEit hack, which is believed to have started May 31, affecting as many as 3.5 million drivers and vehicle owners.
Minnesota became the first state to confirm its inclusion in the MOVEit hack, announcing June 9 that sensitive information pertaining to roughly 95,000 students in the state’s foster-care system had been breached. Meanwhile, IT agencies in Illinois and Missouri have said they are investigating the potential impact of the hack on their state networks, but have not said what agencies were affected.
“Public notice will be made as quickly as possible once entities, individuals, or systems who may have been impacted are identified,” read a statement Tuesday from the Missouri Office of Administration’s Information Technology Services Division.
But officials in other states have said they have not been impacted by the MOVEit exploit.
“There is no sign of similar attacks on Virginia’s systems at this time,” a spokesperson for the Virginia Information Technologies Agency told StateScoop. “Our team continuously monitors our Commonwealth technology infrastructure, and we are closely tracking the activities, along with our federal partners and those affected.”
The fallout has also extended to the federal government. On Thursday, U.S. cybersecurity officials confirmed that federal agencies, including two within the Department of Energy, are among the victims. Cybersecurity and Infrastructure Security Agency Director Jen Easterly told reporters, though, that “we are not tracking significant impact on civilian .gov enterprise but are continuing to work with our partners on this.”
While federal officials did not conclusively pin the incidents at Energy on Cl0p, the group is the only known ransomware organization known to have exploited the MOVEit vulnerability. Cl0p actors previously set a June 14 deadline for victims to pay a ransom to avoid having their stolen files published, though to date, the group does not appear to have posted any government data on its extortion site.
Since June 1, numerous universities, government agencies and multinational corporations have confirmed their exposure to the MOVEit hack. Well-known victims include the University System of Georgia, British Airways and the oil and gas giant Shell.
MOVEit’s publisher, Progress Software, released a new patch Friday.