Did the Governor Pay the Ransom in the Oregon DMV Hack?

As far as anyone knows, Oregon officials never considered paying the progenitors of last month’s hack.

DRIVE SAFELY: Car wash and traffic on Southeast 82nd Avenue. (Brian Burk)
By Marty Smith

The group behind the Oregon DMV hack said if they didn’t get ransom payments from the hacked entities, they’d give all the stolen data to the dark web. So, did the governor pay the ransom? Or did she just willingly give up our personal data to the dark web? —Michael X

If this were a movie, right about here is where we’d get a speech about not negotiating with terrorists. It only emboldens future attackers, y’know. And anyway, surely no duly elected government of the people would stoop to being held hostage by a bunch of Cheeto-flecked randos in Novosibirsk. Millions for cyberdefense but not one penny for cybertribute! (And stop calling me Shirley.)

In the real world, however—where most people’s idea of cyberdefense is changing their password from “password” to “password1″—stooping is all the rage. One widely publicized study estimated that fully half of the world’s state and local governments paid data ransoms in 2021. With the rise of so-called double-extortion attacks—where the attacker not only threatens to publicize your data, but locks the system so you can’t access it yourself—many victims find it easier and cheaper to just pony up.

Unfortunately, paying ransom only encourages further attacks, which is why states like North Carolina and Pennsylvania are moving to ban it: If hackers know potential victims are legally forbidden to pay, the theory goes, they’ll go elsewhere. (Or, you know, perhaps they’ll just pay and not tell anybody.)

As far as anyone knows, Oregon officials never considered paying the progenitors of last month’s hack. It didn’t hurt that this wasn’t a double-extortion attack; the DMV had and continues to have full access to the compromised data. Also, the hacking group (they call themselves “CL0P”) wasn’t targeting ODOT specifically: The breach was part of a larger operation affecting dozens of entities, including Louisiana’s Office of Motor Vehicles, the BBC, the provincial government of Nova Scotia, and British Airways.

In fact, according to CL0P themselves, they never had any interest in Oregon drivers’ personal info. According to their page on the dark web, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.” Can we trust them? I dunno. But it doesn’t seem like sending money will do much good either way.

Questions? Send them to dr.know@wweek.com.

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.