OMV data hack reveals Louisiana cybersecurity weaknesses | News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

A global cyberattack roiling Louisiana’s Office of Motor Vehicles shows how sophisticated digital criminals have become, experts say, as sluggish and bifurcated security protocols leave firms and governments scrambling to safeguard peoples’ data.

Cybersecurity researchers, consultants and government officials reacted with alarm Friday as the hack’s effects reverberated in Louisiana and beyond. Every Louisianan with a state-issued driver’s license, ID, or vehicle registration had data exposed in the leak, which targeted a file-sharing software called MOVEit used by an unidentified third-party OMV vendor, officials say.

Names like Equifax and Experian are somewhat synonymous with recent hacks that exposed droves of user data stored by single companies. But the MOVEit breach represents a new kind of hack — one that pierced hundreds, if not thousands, of firms and government agencies worldwide because the file-sharing software is so ubiquitous.

“This could be used to exploit thousands, or tens of thousands, of organizations, God help us, plus the ones they’re sharing data with,” said Andrew Wolfe, a software engineer and computer science professor at Loyola University in New Orleans.

For now, Louisiana officials say OMV appears to be the only state agency affected by the hack, which named among its victims the Oregon Department of Motor Vehicles and British Airways, among dozens of other companies and government agencies.

Louisiana officials first learned of the breach Wednesday evening and issued a press statement the next day announcing that OMV data had been compromised. 

GOHSEP Director Casey Tingle delivers an update on the date breach that struck OMV and what citizens of Louisiana can do to protect themselves at the GOHSEP office on Friday, June 16, 2023 in Baton Rouge, Louisiana.

Exposed data include names, addresses, social security numbers, birthdates, height, eye color, driver’s license numbers, vehicle registration and handicap placard information, said Casey Tingle, director of the Governor’s Office of Homeland Security and Emergency Preparedness. He said some six million OMV records were exposed in total, though some are duplicative because people have multiple forms of documentation on file.

Tingle called the breach “very sophisticated” and described it as “global” in scale. But at least in Louisiana, hackers don’t appear to have sold or released any data yet, he said. Officials believe the state’s own data was not exposed.

Analysts say the hackers could be members of a Russian-speaking extortion group called CL0P. The perpetrators are using the “dark web” — part of the internet not accessible with common search engines — to list which organizations they’ve infiltrated and what kinds of information they obtained, said Demetrice Rogers, a cybersecurity analyst and professor at Tulane University.

Hackers often use such attacks to hold their targets “hostage,” demanding ransom money in exchange for the stolen data. 

Rogers said the group appears adept at identifying and exploiting so-called “zero-day” software vulnerabilities — newly identified holes in software that haven’t yet been addressed by developers.

The impacts of the MOVEit breach are likely more expansive than they currently appear, he said.

“Anybody who uses that file-transfer product should be concerned that their data has possibly been taken by this ransomware gang,” Rogers said.

In another indicator that CL0P could be involved, the U.S. Department of Energy got ransom requests from that group after its nuclear waste facility and scientific education facilities recently fell victim to hackers, according to reports Friday.

The MOVEit leak is just the latest data one to affect Louisiana state agencies. Offices including the OMV have in the past been crippled by ransomware and other attacks that left user information exposed in recent years.

Here's what to know, how to act after huge Louisiana OMV data breach

As Louisiana’s Office of Motor Vehicles grapples with a massive cyberattack that officials say could affect everyone with a state driver’s lic…

In November, auditors for the Port of Louisiana said hackers stole $420,000 from the agency in 2021. A ransomware gang also claimed to have leaked personal data of Xavier University students and employees after a November data breach. And Louisiana State Police investigated a hack that caused a network failure at Southeastern Louisiana University in February.

Teresa Jones, who runs a New Orleans-based cybersecurity consulting firm, said the MOVEit hack shows the “madness” of the current global cybersecurity landscape. She said the dark listing of the hackers’ victims numbered 271 companies and agencies on Friday.

“In our world, it’s like, okay, if a company like that is vulnerable, it proves we’re in the wild, wild west of cybersecurity,” said Jones, whose firm, Evalv IQ, advises courts, maritime ports, healthcare companies and government offices.

A spokesperson for the Burlington, Massachusetts-based technology firm Progress, which developed the MOVEit software, said in a statement that the company is working with federal law enforcement and other agencies to address the hack. The company is committed to combatting cybercriminals as they become increasingly sophisticated, the spokesperson said.

Wolfe, the Loyola University professor, said the OMV responded well by quickly alerting the public of the hack and advising people to freeze credit accounts.

Blame for the hack lies not on a single agency, he said, but on the balkanized cybersecurity infrastructure that has emerged as file-sharing and other software has become increasingly common.

“We have actually deployed information technology much faster than we can deploy it safely,” he said. “It’s very easy and appealing to buy some new piece of technology, and the technology may not have very good safeguards on it.”

Staff writer Saul Pink contributed to this report.


Click Here For The Original Source.

National Cyber Security