Oregon Could Face Class Action Lawsuit For Breach Of Personal Information Following Russian Cyber Attack

Of the 3.5 million Oregonians victimized by a massive international data breach last year, two have filed a lawsuit against the state of Oregon following the theft of their driver’s license and ID card information. The hack was the biggest data breach in over five years.


Russian Cyberattack Exposes Personal Information of 90M Worldwide

According to a lawsuit filed on Friday in Marion County Circuit Court, information of Oregon residents, including their names, addresses, dates of birth, and the last four digits of their Social Security numbers, as well as their heights and weights, were hacked by a Russian cybergang in  May 2023.  Emsisoft, an anti-malware company, estimates that at the same time around 2,770 public and private organizations were also hacked. Victims extend from New York City schools to the BBC and British Airways, with over 90 million victims globally.

The lawsuit avers that the stolen information could be used to help the thieves, or those they sell the data to, to commit a variety of sordid crimes. Victims’ names could be used to open financial accounts, receive government benefits, take out loans, or obtain medical care.

This data would also be useful to nefarious operators to apply for driver’s licenses with another person’s photo or even give false information to police. The lawsuit indicates that the stolen data “represents a gold mine for data thieves.”


Class Action Lawsuit Against The State of Oregonian

In the lawsuit against Oregon the plaintiffs- Caery Evangelist and Brian Els, are seeking class-action status. The filing doesn’t indicate the amount each Oregonian could receive if the suit succeeds in winning compensation on behalf of millions of Oregonian residents. It sets a minimum of $10 million but doesn’t cite an upper limit.

Filed by Lake Oswego attorneys Paul Barton and Alex Graven, the lawsuit also asks that the court award lifetime credit monitoring and identity theft insurance to all victimized residents.

The plaintiffs say the data breach cost them both personally, as well as an unspecified number of other state residents, dozens of hours as they tried to protect themselves from the fallout. They had to establish what happened, monitor credit reports regularly, and research credit monitoring services as a result of the data theft. For example, Evangelist spent $65 signing up for a credit monitoring service.

According to the lawsuit, a critical flaw in software developed by Progress Software Corporation for ODOT’s “MOVEit” program created a vulnerability that the thieves exploited. The plaintiffs allege that the state did not act appropriately to protect Oregonians against this weakness.

The Oregon Driver & Motor Vehicle Services (DMV), a division of the Oregon Department of Transportation, said via their spokesperson, David House, that the DMV declined to comment in light of the pending litigation.

Morning Brief Newsletter
Sign up today for our daily newsletter, a quick overview of top local stories and Oregon breaking news delivered directly to your inbox
You can unsubscribe at any time
Leave A Reply

Your email address will not be published.