Every Louisiana driver’s license holder exposed in colossal cyber-attack – The Guardian

Personal details for every holder of a driver’s license from the US state of Louisiana were exposed to hackers who have pulled off a colossal cyber-attack that also affected American federal agencies, British Airways and the BBC, according to officials.

A statement on Thursday from the governor of Louisiana, John Bel Edwards, said that his staff believes everyone with a driver’s license, identification card or car registration issued by the state of more than 4.6 million residents probably had their names, addresses and social security numbers exposed to the hackers.

Other personal information to which the cyber-attackers apparently had access were Louisianans’ driver’s license numbers, vehicle registration data, handicap placard information, birthdates, heights and eye colors, Edwards’s statement said.

The Russia-linked extortion gang CI0p, which claimed credit for the recent hack, has previously said it would not exploit any data taken from government agencies and assured it had erased such information. However, it has not elaborated.

Edwards also said there was no evidence that the hackers had sold, used, shared or released the personal details, though the governor suggested that Louisianans take steps to protect their identities. Those measures include freezing their credit to prevent the opening of new accounts in their names, changing all their digital passwords, obtaining a special number from the federal Internal Revenue Service to prohibit someone else from filing tax returns in their names, and reporting any suspected identity theft to authorities.

Louisiana’s motor vehicle office was among numerous organizations to use software named MOVEit which was designed to transfer large digital files. CI0p exploited a flaw in the MOVEit transfer tool as part of a ransomware scheme, and the number of entities known to be hit has steadily been growing for days.

British Airways last week confirmed that its staffers’ names, address, national insurance numbers and banking details were exposed because its payroll provider Zellis used MOVEIt. The BBC said its staff had also been afflicted because Zellis was its payroll provider, though the broadcaster added that it did not believe banking details were compromised. The UK’s beauty and health company Boots said some of its team members’ information was also stolen.

Others struck were the US Department of Energy, an associated science and technology contractor, and an agency-related facility which disposes of defense-related nuclear waste. The American Cybersecurity and Infrastructure Security Agency has warned that multiple federal government agencies were caught up in the hack but has not elaborated.

Additional victimized organizations included Shell, the University of Georgia’s academic system, Johns Hopkins University and the Johns Hopkins Health System.

As the extent of the MOVEit cyber-attack continues coming into focus, experts have warned that the massive breach reiterates how vulnerable US government agencies continue to be in the face of such threats despite investing in security improvements.