The Oregon Department of Environmental Quality on Friday declined to confirm or deny reports that a well-known ransomware group stole employee files in a recent cyberattack at the agency.

The department faced questions after several cybersecurity websites reported that ransomware group Rhysida is behind the cyberattack at the DEQ and has stolen and auctioned off the agency’s data, including sensitive employee information.

“DEQ is aware of these claims. They are still under investigation,” said DEQ spokesperson Lauren Wirtis.
DEQ originally reported it was investigating a cyberattack on April 9. The attack put a near-halt on work at the agency and shuttered vehicle emissions inspection stations. Employees worked entirely from their phones while Enterprise

Information Services, which administers the state’s information technology and cybersecurity controls, rebuilt their laptops.

Emission stations reopened five days later and most agency servers are now back online, Wirtis said.
Over the past two and half weeks, DEQ officials have repeatedly maintained the agency has found no evidence of a data breach.

But 10 days ago, according to cybersecurity websites such as Security Week, ransomware group Rhysida took credit for the cyberattack, claiming it had stolen 2.5 terabytes of files. Rhysida also said it would sell off the data for 30 bitcoin, or about $2.5 million, according to the report. The Oregonian/OregonLive could not independently confirm the report.

Wirtis declined to comment on whether Rhysida had contacted the department.

“We have not engaged in ‘ransom’ or payment discussions with the attacker, or with any entity claiming to have information stolen from DEQ for sale,” the agency said in a statement.

Several high-profile attacks have been attributed to Rhysida ransomware in recent years, including a 2023 attack on California-based health care system Prospect Medical Holdings and a 2024 attack at the Port of Seattle.

An Oregon law says businesses and other entities must follow a stringent protocol in being transparent when data has been breached, including timely notification of residents whose data has been stolen.

People affected by a data breach can find it difficult to recover damages in court because proving a link between identity theft and financial theft has proved challenging. An Oregon judge earlier this month threw out a lawsuit that sought to recover damages for as many as 3.5 million Oregonians whose driver license or ID card information was stolen in a massive international data breach in 2023.