Oregon sued on behalf of 3.5 million whose private driver license, ID card data was stolen in data breach

A pair of Oregonians have filed a lawsuit that could force the state to pay up – to the tune of many millions of dollars – for a massive international data breach last year that victimized 3.5 million Oregon residents whose driver license and ID card information was stolen.

The plaintiffs, Caery Evangelist and Brian Els, are seeking class-action status for all affected state residents whose information – including names, addresses, dates of birth, last four digits of Social Security numbers, heights and weights – were hacked in May 2023 by a Russian cybergang, according to the lawsuit filed Friday in Marion County Circuit Court.

Also hacked were an estimated 2,770 public and private organizations, from New York City schools to British Airways and the BBC, amounting to more than 90 million victims worldwide, according to the anti-malware company Emsisoft.

The lawsuit doesn’t state how much each Oregonian could receive if it’s successful at winning compensation on the behalf of millions of residents. But the lawsuit sets a minimum floor of $10 million and doesn’t cite an upper limit.

It also asks a court to award lifetime credit monitoring and identity theft insurance for all residents who were victimized.

The suit says the data breach cost both Evangelist and Els – as well as an untold number of other state residents – dozens of hours trying to protect themselves from the fallout, including by learning about what happened, regularly monitoring credit reports and researching credit monitoring services. Evangelist ended up spending $65 to sign up for a credit monitoring service, the suit says.

The stolen data “represents a gold mine for data thieves,” the suit says. It adds that the thieves could use the information to help them or people who buy the data from them “commit a variety of sordid crimes,” including using victims’ names to open financial accounts, take out loans, obtain medical care, receive government benefits, give false information to police and apply for driver’s licenses with another person’s photo.

David House, a spokesperson for the Oregon Department of Transportation and Oregon Driver & Motor Vehicle Services, declined to comment because of the pending litigation. DMV is a division of the state transportation department.

The lawsuit states that a critical flaw in ODOT’s “MOVEit” software, provided by the company Progress Software Corporation, created a vulnerability that the thieves exploited. The suit faults the state for allegedly not appropriately acting to protect Oregonians against that weakness.

State officials have said anyone with an Oregon driver license or ID card that was active at the time of the data breach should assume that their information was stolen. State officials don’t have a way of telling whether that information was illicitly used. After last year’s breach, they posted an informational page here.

The lawsuit was filed by Lake Oswego attorneys Paul Barton and Alex Graven.

— Aimee Green covers breaking news and the justice system. Reach her at 503-294-5119, agreen@oregonian.com or @o_aimee.

Our journalism needs your support. Subscribe today to OregonLive.com.