Readers weigh in: Oregonians are mad about the DMV data breach. But what can they do about it?

Published 10:00 pm Monday, June 26, 2023

More than 1,300 people responded to our recent survey asking Oregonians to share their thoughts on the massive data breach at the Oregon Department of Motor Vehicles. The hack by a Russian ransomware group compromised the identities of 3.5 million Oregonians, exposing their names, home addresses, driver’s license numbers and part of their Social Security numbers.

We asked readers to share their thoughts on the breach, and more than 95% of respondents said they were no longer confidence in the state’s ability to protect their personal information.

More than 80% said they were not satisfied with how the state had communicated the breach to the public, and more than 90% said they believed the state should offer identity theft protection or credit monitoring services to Oregonians impacted by the data breach.

The U.S. Cybersecurity and Infrastructure Security Agency says a Russian gang took advantage of a flaw in a popular file transfer tool used by the DMV to move huge files between servers. That hack was able to access the information from hundreds of local governments across the globe, as well as universities and corporations.

State officials and local cyber security experts have said Oregonians should assume their identity has been compromised and take steps to protect themselves.

What readers had to say

Reader: Previously the information from a data breach would be specific to a private company. With this breach having your one govt issued, non-changeable piece of info, with your address as well, makes it scary. Monitoring will need to go on for years. It’s very important to get credit frozen for 16 to 21 year olds. They probably don’t have a credit history yet and may not pay attention that this can affect their future credit access.

Reader: Honestly, other than monitoring (credit reports and bank accounts), nothing I can do is going to protect my information. It’s one more reason to have real people handling transactions and answering phones to help out in many situations in banking, insurance and other sensitive customer services business.

Reader: I’m in the process of freezing credit reports, but it’s difficult navigating — some want to sign you up for paid monitoring (not necessary) and want additional verification info (also not necessary). Information is not easily available for non-English speakers.

Reader: It is outrageous. I have a lot of security on my computer, but now my personal information will no longer be secure. The hackers have my last four of Social Security, my full name, my address, the fact that I am a Veteran, my face from the photograph, my driver’s license number, the expiration date, my date of birth, my gender, my height, my weight, the year the original record was created, the fact that my license is Class C, and a ‘D’ restriction. In short, and pardon the vernacular, I’m screwed.

Reader: All the hackers got was my name and address and my physical description, and maybe the last four of my SSAN. Essentially what they could get from the phone book! Why are people panicking over this???

Reader: Your questions are a bit slanted against the DMV. The fact is, we’ve all already had our data compromised by multiple corporations. I don’t trust anybody: my bank, credit card companies, and online vendors. That’s why we have maintained a freeze on our accounts at credit check companies for the past 5 years. This is only going to happen again. It’s the fault of the system, not this government agency.

Reader: Many people cannot afford to pay for monthly credit report monitoring which has been the recommendation on what to do about the data breach. Many companies get sued for data breaches. The State of Oregon needs to step up and offer free credit monitoring without having people have to file a lawsuit. It’s the right things to do!

Reader: I understand why the state didn’t immediately tell the world. They needed to have a plan on how to advise people. The state was one of many who were hacked. We need to expect this if we are going to participate in any activity of daily living. A small local government got hit by a ransomware attack a few years ago, which completely brought down its system for close to a week. They couldn’t access data or even send mail.

Reader: I don’t know what to do.

Reader: Waiting for an apology from the MOVE IT group to each and every customer they serve. The fault and risk were with them. Yes, Oregon DMV was a customer, but they subscribe just like if we subscribe to Cable TV. They were the weak link regarding safeguards and detection and countermeasures.

Reader: What can I really do? The damage is done! I’m very cautious about who I give my personal info to, and I expect that the entities I’m required to provide my personal info to involuntary should do EVERYTHING to protect this HIGHLY sensitive and potentially life altering information from falling into the wrong hands. It seems like they’re just shrugging their shoulders and saying, “Oops!”

Reader: What can I do really? One of the three main credit monitoring companies was themselves hacked a few years ago … There’s no way recourse for the little people like me. They require us to hand it over to complete any interactions. We can’t say no. Meanwhile, while average folks get taken to the cleaners with identity theft, government agencies and private corporations have no consequences for not keeping our info safe.