After that the state of Louisiana completed and shared its review of the impact of the MOVEit transfer cyber attack on June 14, the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) announced additional safety steps. The GOHSEP MOVEit safety steps addressed questions of Louisiana residents.
Details about the GOHSEP MOVEit safety steps
“As a MOVEit customer, certain data within the custody of the state of Louisiana was subject to access by the bad actors,” the nextsteps.la.gov website read. One of the GOHSEP MOVEit safety steps noted on this website urged Louisiana residents to change their passwords. The MOVEit cyber attack was through access to one of the file servers within the Office of Motor Vehicles (OMV).
This OMV server had details of Louisiana citizens including state-issued driver’s licenses, identification cards, and vehicle registrations. Soon after Governor John Bel Edwards received a briefing from GOHSEP, OMV, Louisiana State Police, and the Office of Technology Services, a media briefing was held.
The GOHSEP director Casey Tingle confirmed that there were no indications about any misuse of the data being sold, used, shared, or released.
Other organizations impacted by MOVEit data hack
Besides the organizations that have confirmed being victimized due to the state agency data breach of the OMV, Umpqua bank in Oregon confirmed being impacted by the MOVEit data breach on June 19. Another report stated that nearly 10 federal agencies were impacted by the MOVEit data breach.
The Office of Personnel Management, the Department of Energy, and the Department of Agriculture were among the targets of the data breach. However, the Department of Agriculture did not state that it was due to the Progress software vulnerability.
Among the states impacted by the MOVEit zero-day vulnerability exploitation, the Maryland Department of Human Services was among the latest to join the others.
Software management, the need of the hour
Addressing the state of the software dilemma, a report read, “The software development component of large infrastructure projects is often relegated to secondary importance contributing to project delays and other issues.”
Organizations now need to include software in infrastructure projects besides heavy civil engineering design activities, and construction. Software needs to be worked on, not on the background however with complete attention to its development besides the testing and implementation stages.
MOVEit vulnerability reporting and impacted services
On May 31, 2023, Progress issued a notification to address a vulnerability in MOVEit. On June 1, it offered enhanced remediation steps. In the following days until June 15 further updates were made regarding vulnerabilities found in the product.
No state services were impacted or suspended because of the MOVEit software flaw. The LaWallet was also not found to be impacted based on the investigations.
Addressing the notification sent to impacted individuals by the Progress, the NextSteps.La.Gov FAQ section read, “MOVEit’s manufacturer sent notification of a Zero-Day Vulnerability exploited by bad actors on May 31, 2023, in a blanket statement to its global list of customers.”
The statement did not alert customers about the impact of the cyber attack on each customer’s system or data, the FAQ section further added. Additionally, Progress Software Corporation is facing a lawsuit filed by plaintiffs in Louisiana.