Louisiana OMV reports data breach

[sTizzl]

Summary

Louisiana residents with drivers licenses, ID, car registration had data exposed in cyber attack

 

Quotes

Quote

According to a news release from GOHSEP, the Louisiana Office of Motor Vehicles is one of many government entities that was affected by the MOVEit data breach. MOVEit is a third-party data transfer service that sends large files, according to the governor's office.

 

My thoughts

This just goes to show you how inept so many local governments are when it comes to technology. The wan show has already covered the new regulations for certain adult sites in Louisiana and how misguided those actions are. Yes we need to protect the children but that is done at home by the parents first not by government. Sorry that’s getting a little off topic but I do currently live in Louisiana and as a technology professional this article along with all the other things going on hits a nerve

 

Sources

https://www.wdsu.com/amp/article/louisiana-omv-drivers-license-cyber-attack/44214388

[circeseye]

oregon dmv also got hit

 

news kgw 8

[Brooksie359]

Ok so a third party service that the goverment paid to transfer large amounts of data messed up and had a data breach and now it is the goverment that is incompetent and not the third party service that had the leak? I am a bit confused on the reasoning there. Seems to me like there is nothing the government could have done besides using another service or trying to do the file transfer themselves in a secure way which tbh I don't really trust the government to be able to do correctly as that isn't really their area of expertise. 

[Arika]

4 hours ago, sTizzl said:

This just goes to show you how inept so many local governments are when it comes to technology

4 hours ago, sTizzl said:

one of many government entities that was affected by the MOVEit data breach

4 hours ago, sTizzl said:

MOVEit is a third-party data transfer service

 

[Donut417]

4 hours ago, Brooksie359 said:

Ok so a third party service that the goverment paid to transfer large amounts of data messed up and had a data breach and now it is the goverment that is incompetent and not the third party service that had the leak?

 They put the stupid law in place. They allowed third parties access to the data. So yeah, the government is to blame. These data breaches happen every other week. The government knew what would happen. 

[leadeater]

1 hour ago, Donut417 said:

 They put the stupid law in place. They allowed third parties access to the data. So yeah, the government is to blame. These data breaches happen every other week. The government knew what would happen. 

This doesn't make any sense at all. Everyone uses 3rd party software, do you want govs to hire software developers and write their own software or would you rather them pay for and use SAP or ServiceNow or Salesforce etc? 

 

All software could have security flaws in them. You can only do so much to mitigate against these, your options just differ based on if you host it or it's a hosted service. At the fundamental level though not much changes between the two situations, there are limits to what can be done.

 

What could be done differently that you propose? The only effective one I can thing of would be legislation that any software or service used by a gov entity or involved with public data must turn over software and system architecture documentation and give documentation on all data protection and encryption as well as data NOT encrypted so these can be analyzed for suitability and meeting minimum standards and practices. This must be done every year jointly with an external independent audit. Problem is would this actually be achievable? 

[Arika]

1 hour ago, Donut417 said:

 They put the stupid law in place. They allowed third parties access to the data. So yeah, the government is to blame. These data breaches happen every other week. The government knew what would happen. 

[Donut417]

2 hours ago, leadeater said:

This doesn't make any sense at all. Everyone uses 3rd party software, do you want govs to hire software developers and write their own software or would you rather them pay for and use SAP or ServiceNow or Salesforce etc? 

It’s not about software. It’s about giving corporations access to the data. I rather the government to hire people in house to do the work. As far as software goes, the government can look over the code to ensure it’s ok. When the government uses a third party they never do the due diligence of ensuring compliance or accountability. This is why we have 15 programs across 5 Federal agencies to expand broadband, but have large areas of the country that still need broadband. 

[leadeater]

1 hour ago, Donut417 said:

When the government uses a third party they never do the due diligence of ensuring compliance or accountability.

Very large very reputable organizations have had data breaches and server security flaws that could have been used to compromise systems. Put it this way, MOVEit is one of those companies and is used in the healthcare sector and that diligence would have been done.

[Brooksie359]

1 hour ago, Donut417 said:

It’s not about software. It’s about giving corporations access to the data. I rather the government to hire people in house to do the work. As far as software goes, the government can look over the code to ensure it’s ok. When the government uses a third party they never do the due diligence of ensuring compliance or accountability. This is why we have 15 programs across 5 Federal agencies to expand broadband, but have large areas of the country that still need broadband. 

Yes and then we would be complaining on the goverment using an outdated proprietary software full of vulnerabilities that hasn't been updated for 10 years if not more. I'm sorry but using a third party is probably more secure than what the goverment would come up with tbh. 

[wanderingfool2]

At least if this is to be believe

https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-moveit-extortion-attacks/

They at least have the courtesy to not utilize any of this information when it's from government data.  Not that I would trust a statement that they won't but at least it's a bit consoling.

 

3 hours ago, Donut417 said:

It’s not about software. It’s about giving corporations access to the data. I rather the government to hire people in house to do the work. As far as software goes, the government can look over the code to ensure it’s ok. When the government uses a third party they never do the due diligence of ensuring compliance or accountability. This is why we have 15 programs across 5 Federal agencies to expand broadband, but have large areas of the country that still need broadband. 

So tell me, what would you have done differently?

 

This was done with a zero-day vulnerability that allowed SQL injection that exploits publicly facing servers.  From at least what I've seen of it, the data might not even have been hosted on a third-party or rather the data wasn't sent to the third party.  So in that respect it might be similar to saying the government didn't do their due diligence with heartbleed.

 

Specifically it seems like the service was meant to facilitate highly sensitive documents, from things like cloud...but the question becomes though they relate it to the MOVEit breach, was it still hosted on their end or was the government hosting the data themselves on premises and just got hit by the zero-day