A pair of Oregonians has filed a lawsuit that could force the state to pay for a massive international data breach last year that victimized 3.5 million Oregon residents whose driver license and ID card information was stolen.

The plaintiffs, Caery Evangelist and Brian Els, are seeking class-action status for all affected state residents whose information — including names, addresses, dates of birth, last four digits of Social Security numbers, heights and weights — were hacked in May 2023 by a Russian cybergang, according to the lawsuit filed Friday in Marion County Circuit Court.

Also hacked were an estimated 2,770 public and private organizations, from New York City schools to British Airways and the BBC, amounting to more than 90 million victims worldwide, according to the anti-malware company Emsisoft.

The lawsuit doesn’t state how much each Oregonian could receive if it’s successful at winning compensation on the behalf of millions of residents. But the lawsuit sets a minimum floor of $10 million and doesn’t cite an upper limit.

It also asks a court to award lifetime credit monitoring and identity theft insurance for all residents who were victimized.

The suit says the data breach cost both Evangelist and Els — as well as an untold number of other state residents — dozens of hours trying to protect themselves from the fallout, including by learning about what happened, regularly monitoring credit reports and researching credit monitoring services. Evangelist ended up spending $65 to sign up for a credit monitoring service, the suit says.

The stolen data “represents a gold mine for data thieves,” the suit says. It adds that the thieves could use the information to help them or people who buy the data from them “commit a variety of sordid crimes,” including using victims’ names to open financial accounts, take out loans, obtain medical care, receive government benefits, give false information to police and apply for driver’s licenses with another person’s photo.

David House, a spokesperson for the Oregon Department of Transportation and Oregon Driver & Motor Vehicle Services, declined to comment because of the pending litigation. DMV is a division of the state transportation department.

The lawsuit states that a critical flaw in ODOT’s “MOVEit” software, provided by the company Progress Software Corp., created a vulnerability that the thieves exploited. The suit faults the state for allegedly not appropriately acting to protect Oregonians against that weakness.

State officials have said anyone with an Oregon driver’s license or ID card that was active at the time of the data breach should assume that their information was stolen. State officials don’t have a way of telling whether that information was illicitly used. After last year’s breach, they posted an informational page, https://tinyurl.com/bdapeuyv