A ransomware group has leaked more than a million files that it claims to have stolen from the Oregon Department of Environmental Quality (DEQ). These files reportedly contain sensitive information about DEQ employees, though it remains unclear whether any private vehicle registration data or other information related to Oregonians outside the agency was also compromised.
Earlier this month, DEQ announced a temporary suspension of most of its services due to a potential cyberattack. The agency is responsible for regulating air quality, toxins, waste, and pollution, and it also oversees vehicle smog inspections necessary for driver registrations in the Portland and Medford areas.
While an agency spokesperson did not confirm the extent of the data breach during an OPB interview, a well-known ransomware group called Rhysida had already made 1.3 million files, totaling 2.4 terabytes, available on the dark web—a part of the internet that requires special software for access.
Before releasing the data, Rhysida claimed the files were worth 30 Bitcoins, approximately $2.5 million, and initiated a weeklong auction where bidders could name their price for the “exclusive, unique, and impressive data.” By Wednesday, Rhysida’s website indicated that some of DEQ’s files had already been sold to data buyers, while the remaining files were accessible for free download on the dark web.
Rhysida has previously targeted various organizations, including the British Library, medical facilities, and the Chilean Army. The group also breached computer servers associated with the Port of Seattle, affecting 90,000 individuals. DEQ first reported a potential cyberattack on April 9, leading to the shutdown of most of its services and programs. Throughout that week, DEQ provided daily updates denying that a data breach had occurred.
During this period, employees lost access to internal network files and email accounts, and emails sent to staff between April 9 and 11 were not delivered. Consequently, some permitting and public engagement processes were stalled. The agency also suspended vehicle emissions testing, which is required for driver registrations in affected areas, preventing Oregon drivers from obtaining necessary tests at gas stations, mechanics, or state-operated locations. As of Friday, while the system allowing businesses to conduct emissions testing remained down, testing resumed at DEQ’s own sites on April 14.
On April 16, the tech news site SecurityWeek reported that Rhysida had taken responsibility for the data breach and was giving the agency a week to respond. This was the most detailed information available to Oregonians at the time regarding the nature of the attack. By April 17, DEQ officials stated that employees were working from their phones due to lack of access to laptops, but by Friday, hundreds of staff members were reportedly back at work on laptops.
It was confirmed that information stored in DEQ’s new online portal, DEQ Online, was unaffected by the breach, as most of the agency’s air, land, and water quality permitting programs have transitioned to this system. The Oregon Department of Administrative Services’ Enterprise Information Services is currently investigating the cyberattack. In a statement released after this report, DEQ staff indicated that the timeline for the investigation’s completion remains uncertain.
