Louisiana OMV data breach exposed nearly all residents’ personal information

The private information of Louisiana drivers was exposed in a massive breach, officials announced on June 15, as part of the global ransomware attack that exploited a MOVEit software vulnerability and affected agencies across the federal government. CI0p, the Russian-linked ransomware-as-a-service syndicate, is allegedly behind the attack, Reuters reported. The attack appears to have begun on May 31, though the vulnerability was identified as early as 2021.

The state’s Office of Motor Vehicles said in a June 15 statement on the theft that it was still unclear if threat actors “have sold, used, shared, or released the OMV data obtained from the MOVEit attack”—but the scope of the hack is stunning.

All Louisiana drivers’ names, addresses, Social Security numbers, birthdays, height and eye color, license numbers, and vehicle registration information were likely exposed.

Louisiana Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) director Casey Tingle told reporters in a press conference on June 16 that more than 6 million records were exposed, but due to duplicative records from licenses and vehicle registrations, Tingle couldn’t say how many people were impacted.

“The scale of the data in the OMV data is so large as to involve most Louisianans, so that’s the scope of what we’re dealing with,” Tingle said.

Tingle added that GOHSEP isn’t sure if the breach involved licenses and information from people who no longer live in Louisiana, but urged anyone who could be affected to take protective measures.

Ramifications of the MOVEit attack continue to reverberate across public and private institutions. The hack affected federal agencies like the Department of Energy, and potentially involves the data of millions of people.