Hackers have leaked 1.3 million files stolen from the Oregon Department of Environmental Quality, exposing sensitive employee data and disrupting state services.
A ransomware group has published over 1.3 million files, totaling 2.4 terabytes of data, following a cyberattack on the Oregon Department of Environmental Quality (DEQ). The attack, attributed to the well-known group Rhysida, has primarily exposed sensitive information about DEQ employees. It remains unclear whether private vehicle registration data or other citizen records were also compromised. DEQ initially froze most services earlier this month after detecting suspicious activity, but had not confirmed the extent of the breach during early investigations.
The cybercriminal group Rhysida reportedly tried to contact DEQ before releasing the stolen data. After no response, they made the files publicly available on the dark web. Rhysida initially valued the stolen data at 30 Bitcoin (approximately $2.5 million) and attempted to auction it off before eventually making a portion downloadable for free.
Rhysida has a history of targeting major institutions, including the British Library, healthcare facilities, the Chilean Army, and the Port of Seattle. During the breach, DEQ employees were left without access to internal systems, resulting in widespread disruption of permitting services, public engagement processes, and vehicle emissions testing programs critical to driver registrations in Portland and Medford.
Despite early statements downplaying the breach, DEQ later acknowledged the cyberattack and confirmed that its newer online portal, DEQ Online, was unaffected. State cybersecurity services are now involved in the investigation and are working to bolster defenses across other Oregon state networks.
Rhysida posted on its dark website: “We tried to contact them, but they chose to ignore us. And now their files have been released.” DEQ spokesperson Lauren Wirtis stated that the agency remained committed to protecting Oregon’s air, land, and water throughout the attack and recovery efforts. In a follow-up statement, DEQ also confirmed that it did not engage in any ransom negotiations with the hackers or third parties regarding the stolen information.
The Oregon DEQ attack shows how ransomware groups are no longer just chasing easy money, they’re willing to paralyze critical public services and expose sensitive data to make a point. When agencies that regulate air quality, public health, or infrastructure get hit, it can result in stolen data and weakened communities. As threats shift from private corporations to public institutions, states face a new kind of pressure: defend their digital front lines or risk losing public trust.
Rhysida is a ransomware group known for attacking public institutions worldwide, often trying to pressure organizations into paying ransoms by threatening public data leaks.
State agencies are often vulnerable due to outdated software, limited cybersecurity budgets, and the high value of the sensitive data they manage.
Employees should monitor personal accounts for suspicious activity, update passwords, enable multi-factor authentication, and watch for potential identity theft.
Citizens should consider freezing their credit, closely monitoring bank statements, and staying alert for phishing attempts linked to leaked personal information.
The breach proves the need for stronger defense systems, regular security audits, employee training, and rapid incident response plans across all public agencies.