Colossal Louisiana Driver Licencing Data Breach

The MOVEit cyberattacks continue to devastate both Britain the United States, this time with a colossal cyberattack that exposed the licence details of every single driver in Louisiana. Although the population of Louisiana is only 4.6 million, Casey Tingle, Louisiana’s homeland security and emergency preparedness director, has stated that the total numbers of records exposed is roughly 6 million.

The governor of Louisiana, John Bel Edwards, released a statement on Thursday explaining that his staff believed every single Louisiana resident with a driver's licence, identification card, or car registration issued by the state had "probably" had their names, addresses, and social security numbers leaked to the hackers. It is believed that the hackers also gained access to the vehicle registration numbers, handicap placard information, and even the registered heights and eye colours of the drivers.

The Clop ransomware gang has claimed responsibility for the hack, despite previously stating that they would not exploit any data taken from government agencies, and assuring authorities that they had erased such information. Edwards noted that there was no evidence that the hackers had sold, used, shared or released the personal details, though the governor suggested that residents of Louisiana take additional steps to protect their identities.

Those measures include freezing their credit (to prevent the opening of new accounts in their names), changing all of their digital passwords, and obtaining a special number from the federal Internal Revenue Service to prohibit someone else from filing tax returns in their names. Edwards reiterated that residents should report any suspected identity theft to authorities.

Louisiana's motor vehicle office is one of the thousands of organisations globally that are using the file transfer software called MOVEit, which contains a vulnerability being actively exploited. Earlier this month, the Clop ransomware gang have exploited the vulnerability to attack British Airways and the BBC, along with Transport for London.

Others known to be victims of the exploit include the US Department of Energy, an associated science and technology contractor, and an agency-related facility which disposes of defence-related nuclear waste. The American Cybersecurity and Infrastructure Security Agency has warned that multiple federal government agencies were caught up in the hack, but has not elaborated.