When you think about the personal information that's most valuable to you — the data you really want to keep private and secure — your healthcare information is probably high on the list. Your personal identification, such as your driver's license, is almost certainly up there, too.
For more than 80% of Oregon's residents, that valuable personal data has been compromised. Two major cyber attacks exploiting vulnerabilities in Progress MOVEit Transfer have exposed personally identifiable information (PII) and protected health information (PHI).
A hack of the Oregon DMV System put all Oregon state ID and driver's license data at risk (3.5 million Oregonians, over 80% of the state's population of 4.2 million), and a hack of an Oregon Health Plan contractor included PII and PHI data for over 1.7 million individuals.
In this article, we'll explore what we know about these attacks, what we can learn from the outcomes, and what they mean for state and local cybersecurity strategies moving forward.
Oregon isn't alone in its predicament: Other state government agencies, including the Louisiana DMV and the Minnesota Department of Education, have also experienced data breaches as a result of the same MOVEit vulnerabilities. The two large-scale breaches in Oregon, however, put a spotlight on the massive scale of constituent data that governments manage. Oregon's DMV alone manages PII for over 80% of Oregonians.
What's in it for the hackers? Valuable data, which means valuable leverage (as we see in ransomware attacks) and, in many cases, valuable insights for espionage.
It's easy to see why government agencies are increasingly targeted by sophisticated cyber attacks: They've got high volumes of high-value data. Each government entity can house massive amounts of constituent information, and that PII and PHI may be accessible in multiple locations across that agency's systems and platforms — not to mention the fact that several vendors and contractors may also have access.
In the U.S., when you multiply that out across 50 states and the many interconnected agencies that make up a state government — including down to the local level, like city governments, law enforcement, and school districts — and you include each of those organization's vendors who have system or data access, you discover that PII and PHI data lives, and moves, everywhere.
As we examine these complex security challenges that states face, it's important to understand what happened with the two major breaches in Oregon.
The Oregon Health Plan Contractor Hack: Timeline & Exposed Data
The Oregon Health Plan is the state's program for Medicaid and children's healthcare coverage. An Oregon Health Plan contractor, PH Tech, disclosed that it experienced a data breach resulting from a vulnerability in Progress MOVEit software. Here's what happened:
The Oregonian reports that 1.7 million clients were impacted — and because of the nature of the Oregon Health Plan, we can assume that low-income families and children will see the most significant ramifications. According to PH Tech, the exposed information is believed to include:
That's a lot of critical data, for nearly half of the population of Oregon. In conjunction with IDX, the organization is providing free identity theft protection to those affected.
A cyber attack, also exploiting vulnerabilities in the Progress MOVEit software, also targeted the Oregon Division of Motor Vehicles (DMV). The Oregon Department of Transportation released a statement detailing the sequence of events and the data exposed as a result of the breach:
Unfortunately, citizens' ability to make any changes to their ID information is limited: The announcement states that the DMV "also cannot change the number on your card unless there is proof that your name and number were used in committing a fraudulent act. If that happens, you should first call police to report the crime."
The ODOT states "data records for Oregon driver's licenses, permits, and ID cards" were accessed in the cyber attack.
Whether you've patched your MOVEit software and want to continue with that vendor, or if you're looking for new solutions, here are some ways to bolster your cybersecurity moving forward.
Diversification isn't just good for your financial portfolio. It's also good for your security stack. A strong cybersecurity strategy is layered, with protections in place to safeguard systems, apps, endpoints, and — critically — the data itself. If, and when, one layer of your security stack fails, you want additional layers to pick up the slack and reduce the overall impact.
It's also wise to create degrees of separation between access to systems and access to data. As we saw in the Microsoft cloud vulnerability that exposed government email data, when data access and system access are intertwined, hackers may be able to exploit entire systems, quietly exfiltrating large volumes of highly sensitive data in one fell swoop. When you separate data and system access, should someone gain unauthorized access to your systems, they won’t automatically have access to the data, too.
Rather than granting access to entire servers, drives, or even folders containing sensitive information, manage data access in a way that makes sensitive information accessible only to those with a true business need to know. Implementing tools with granular, attribute-based access control (connected to your identity and access management, IAM, platform) can go a long way in mitigating potential risk.
Not sure where to start? Start with the data. After all, the data itself is the asset you're trying to protect. It's the target of cyber attacks and exfiltrations. Data is your most valuable asset — so when you focus there, other layers of cybersecurity strategy will fall into place.
At Virtru, we recognize that no one vendor will solve your entire security picture. However, our technology can integrate with your most commonly used apps — from Google Workspace to Microsoft 365, Salesforce, and Zendesk — to apply powerful, data-centric security and encryption to sensitive data. If person-to-person secure file-sharing workflows are important to your organization and you're looking to move away from Progress MOVEit, Virtru Secure Share may well provide the secure file-sharing capabilities you're looking for.
Our split-knowledge architecture, granular access control, and military-grade encryption provide robust security that follows data anywhere it moves. We'd love to be one of the foundational, data-centric layers of your security strategy: Contact our team today to book a demo.