Here’s what to know three weeks after massive data breach hit Louisiana’s OMV

A massive cybersecurity breach last month led to the release of six million Louisiana Office of Motor Vehicles records, exposing the names, social security numbers, addresses and birth dates of almost all Louisiana residents.

But the breach could have been much worse — potentially exposing sensitive financial data safeguarded by the state Department of Revenue — had officials acted less quickly to contain it, according to documents and interviews with state officials and cybersecurity experts.

Every Louisianan with a state-issued driver’s license, ID, or vehicle registration had data exposed in the breach, which targeted a third-party file-sharing software called MOVEit. The breach has reverberated globally, as dozens of pharmaceutical firms, media companies and other entities have had their data compromised.

The data teams of several other Louisiana agencies, including the revenue department, use MOVEit to transfer data. But the OMV is the only Louisiana entity to have been affected by the breach, according to information provided by Gov. John Bel Edwards’ office.

Members of CL0P, a ransomware gang thought to be headquartered in Russian-occupied Ukraine, took advantage of MOVEit developers’ plans this spring to install a new “patch” in their software. Having learned of vulnerabilities to that patch, they quickly struck at entities worldwide that use the file-sharing service once the patch was applied, cybersecurity experts say. 

Two days before the Governor’s Office of Homeland Security and Emergency Preparedness announced the breach, officials started to learn the extent of the problem when they realized that CL0P had obtained OMV data through the defective patch. The patch had been applied to servers at the Louisiana Department of Public Safety, which oversees the OMV.

Data obtained by the group was relegated to a single server, GOHSEP officials said.

The state Office of Technology Services links multiple state agencies’ servers under a single umbrella — something the CL0P hackers sought to use to their advantage, said Jacques Berry, a Division of Administration spokesperson.

But as soon as staff learned of the breach, they halted plans to apply the new, defective patch to DOR and other servers’ MOVEit environments, Berry said. Once the CL0P hackers hit the state’s cybersecurity defenses and failed to obtain additional data on other agencies’ servers, they abandoned efforts to target the Louisiana agencies.

Had the patch been applied to other server environments earlier, the breach might have swiftly penetrated deeper into the state’s information network, Berry said.

It’s unclear how much the attack and the state’s response to it has cost taxpayers, if anything. Also unclear is how much the state has spent on cybersecurity in recent years. A public records request to determine that information hasn’t yet been fulfilled.

To remedy the issue, the state applied a new, improved software patch issued by MOVEit’s manufacturer to its servers, according to GOHSEP. It also reconfigured its firewalls to defend itself against internet traffic from MOVEit’s web services.

Some cybersecurity experts have praised the state’s response.

Officials responded well by quickly alerting the public of the hack and advising people to freeze credit accounts, said Andrew Wolfe, a software engineer and computer science professor at Loyola University in New Orleans.

“I felt that this showed that they had done a pretty good job of getting themselves set up for this,” Wolfe said. “They were ready for the disclosure; they were ready to present a report of what the risks were. They gave residents a set of procedures and protective steps that they could take.”

To blame for the incident is the balkanized cybersecurity infrastructure that has emerged as file-sharing and other software has become increasingly common. Hacking strategies are evolving faster than security protocols can keep up, he said.

After the breach, GOHSEP officials said that no state services have been suspended because of the MOVEit vulnerability. They say there are no current plans to suspend any of those services.

A GOHSEP spokesperson referred questions about the breach to a fact sheet released by Edwards’ office about the event. 

Asked if the state could have done more to preemptively fix the situation, GOHSEP officials said the nature of the so-called “zero-day vulnerability” that resulted in the breach would have made earlier mitigation difficult.

“This means that the attackers found a defect with a third-party software product before its manufacturer or other sophisticated cybersecurity professionals became aware,” the fact sheet reads. “Unfortunately, the state of Louisiana, along with countless other entities, both public and private, were impacted by simply being MOVEit customers.”

Staff writer Sam Karlin contributed to this report.