JOHN DAY — If you have an Oregon driver’s license, you’ve probably been hacked.

The Oregon Department of Transportation revealed Thursday, June 15, that the state Driver and Motor Vehicle Services Division was targeted in a global ransomware attack and, as a result, cybercriminals may have stolen the personal information of about 3.5 million Oregonians — anyone with an Oregon driver’s license or ID card.

No information is available on which individual accounts have been breached, officials said.

ODOT disclosed in a news release the data was lost through a previously unknown vulnerability in MOVEit Transfer, a popular file sharing app created by Progress Software Corp. According to published reports, numerous other organizations were caught up in the same hack, including multiple federal agencies, U.S. banks and universities and foreign companies such as British Airways and Shell.

The massive international hack has been attributed to Clop, a shadowy ransomware gang believed to be based in Russia.

At a press conference June 15, ODOT officials said the agency was notified of the software vulnerability on June 1 and took immediate steps to secure its software systems. However, on June 1, the agency confirmed the personal information of millions of Oregonians had been accessed through DMV computer records.

Personal information on Oregon driver’s licenses includes the holder’s name, address, driver’s license number and date of birth. ODOT officials declined to say whether even more sensitive information, such as Social Security numbers or financial data might have been compromised in the breach.

“For security purposes, we’re not going to discuss exactly what data points were potentially included in that file. What we’re saying is if you have an Oregon driver’s license, ID or driver’s permit, you can assume that the data associated with that credential has been compromised,” DMV Administrator Amy Joyce told reporters.

“It could include things beyond what’s printed on the card itself.”

Asked why the agency waited until June 15 to alert Oregonians to the data breach, ODOT officials said they were juggling competing needs to protect personal privacy, maintain computer security and provide disclosure.

“There is a balance that needs to be made,” said Thomas Amato, the agency’s chief information officer.

Amato declined to say whether ODOT was in talks with the ransomware gang to buy back the stolen data.

“The federal government strongly, strongly, strongly recommends not negotiating or responding to demands for ransom,” he said. “And I’ll leave it at that.”

ODOT officials are advising Oregonians who may be concerned that the data breach could harm them financially to check their credit reports for any unauthorized transactions. Consumers can ask the credit reporting agency to correct the misinformation or freeze their credit files.

“That’s the best protection that folks can take … is to be monitoring their credit, potentially locking down their credit — you have that ability,” Joyce said.

“This is the world we live in now,” added DMV public information officer Michelle Godfrey. “We have to be responsible for our data, our information.”

For more information, visit the DMV data breach website at https://tinyurl.com/ckxkyvdy.

The Oregon Department of Transportation data breach affects approximately 3.5 million Oregonians, virtually anyone who has an Oregon driver’s license or state ID card. ODOT is advising people to check their credit records by requesting a free report from all three credit reporting agencies:

• Equifax: equifax.com/personal/credit-report-services or 800-685-1111.

• Experian: experian.com/help or 888-397-3742.

• TransUnion: transunion.com/credit-help or 888-909-8872.

You can also request a free credit report online at annualcreditreport.com or by phone at 877-322-8228.

Additional information about protecting yourself from identity theft is available online from the Federal Trade Commission at consumer.gov/idtheft.