Millions of people in Louisiana and Oregon have had their data compromised in the sprawling cyberattack that has also hit the US federal government, state agencies said late Thursday.
The breach has affected 3.5 million Oregonians with driver's licenses or state ID cards, and anyone with that documentation in Louisiana, authorities said. The Louisiana governor's office did not put a number on the number of victims but over 3 million Louisianians hold driver's licenses, according to public data.
The states did not blame anyone in particular for the hack, but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang.
The sweeping hack has likely exposed data at hundreds of organizations across the globe and also compromised multiple US federal agencies, including the Department of Energy, as well as data from major corporations in Britain like the BBC and British Airways. The Russian-speaking hackers that claimed credit are known to demand multimillion-dollar ransoms, though US and state governments say they have not received any demands.
The data exposed in the breach of the Oregon and Louisiana motor vehicle departments may include Social Security numbers and driver's license numbers, prompting state authorities to advise their residents on how they can protect themselves from identity fraud.
There is no sign that the hackers have sold or released data stolen from the Louisiana Office of Motor Vehicles, and the hackers have not contacted the state government, the office of Louisiana Gov. John Bel Edwards said in a statement.
On Thursday, the US Cybersecurity and Infrastructure Security Agency revealed to CNN that several US federal government agencies have been hit.
Clop, the ransomware gang allegedly responsible, is known to demand multimillion-dollar ransoms. But no ransom demands have been made of federal agencies, the senior official told reporters in a background briefing.
On Thursday, Progress Software, the US firm that makes the software exploited by the hackers, said it had discovered a second vulnerability in the code that the company was working to fix.
The hacks have not had any "significant impacts" on federal civilian agencies, CISA Director Jen Easterly told reporters, adding that the hackers have been "largely opportunistic" in using the software flaw to break into networks.