Oregon DEQ Data Breach Exposes Personal Information of 4,800 Individuals
In April 2025, the Oregon Department of Environmental Quality (DEQ) suffered a cyberattack that compromised the personal data of approximately 4,800 individuals. The breach, attributed to the ransomware group Rhysida, went undisclosed to the public for months, with affected individuals only notified in late December nearly nine months after the incident.
The attack disrupted DEQ operations, leaving staff without computer access for nearly two weeks. While the agency initially denied a data breach, investigations later confirmed that sensitive information including Social Security numbers had been exposed. The leaked data, tied to "older records," primarily affected individuals outside DEQ, such as those who had participated in asbestos removal training programs years prior.
DEQ acknowledged the breach only after inquiries from OPB, revealing that it had known about the leak since June. Oregon law does not require public disclosure of such incidents, so the agency opted to notify affected individuals directly via mail. However, the delayed notifications some sent as late as December 30 raised concerns among recipients, including retiree Jack Terrill, who initially suspected the letter was a scam due to its vague details and lack of public confirmation.
The letters, postmarked from West Sacramento, California, included links to IDX, an identity protection company contracted by DEQ. Cybersecurity experts emphasized the importance of verifying such communications, particularly for vulnerable groups like seniors. Terrill’s attempts to confirm the letter’s legitimacy through DEQ were met with unreturned calls and voicemail messages, further fueling skepticism.
DEQ defended its notification process, stating that a manual review was necessary to ensure accuracy and avoid duplication. The agency notified 80 individuals in August, 191 in September, 12 in early December, and the remaining 4,544 on December 30. The breach’s origins remain under investigation, though records suggest a hijacked website link in a DEQ press release may have been the entry point for the attackers.
Rhysida later released 1.3 million files totaling 2.4 terabytes on the dark web, some of which contained DEQ employees’ personal information. The ransomware group initially demanded $2.5 million for the stolen data. DEQ has since updated its data retention policies, stating it no longer collects the type of information compromised in the breach.
A criminal investigation into the incident is ongoing.
Oregon Department of Environmental Quality cybersecurity rating report: https://www.rankiteo.com/company/oregon-dept-of-environmental-quality
"id": "ORE1768238719",
"linkid": "oregon-dept-of-environmental-quality",
"type": "Ransomware",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '4,800 members of the public',
'industry': 'Environmental Regulation',
'location': 'Oregon, USA',
'name': 'Oregon Department of Environmental Quality '
'(DEQ)',
'type': 'Government Agency'}],
'attack_vector': 'Hijacked website link in a press release',
'customer_advisories': 'Letters sent to affected individuals with identity '
'protection services via IDX.',
'data_breach': {'data_exfiltration': 'Yes (1.3 million files released on the '
'dark web)',
'number_of_records_exposed': '4,800',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Personal information',
'Social Security numbers']},
'date_detected': '2025-04',
'date_publicly_disclosed': '2025-12-30',
'description': 'About 4,800 members of the public had their personal '
'information exposed after a cyber attack on the Oregon '
'Department of Environmental Quality’s servers. The agency '
'confirmed the leak in December 2025, nine months after the '
'April 2025 attack, and notified affected individuals via '
'letters.',
'impact': {'brand_reputation_impact': 'Negative public perception due to '
'delayed disclosure and poor '
'communication',
'customer_complaints': 'Confusion and lack of trust from affected '
'individuals',
'data_compromised': 'Personal information, including Social '
'Security numbers',
'downtime': 'Close to two weeks for DEQ staff',
'identity_theft_risk': 'High (Social Security numbers exposed)',
'operational_impact': 'Frozen services, inability to access '
'computers',
'systems_affected': 'DEQ servers, employee laptops'},
'initial_access_broker': {'entry_point': 'Hijacked website link in a press '
'release'},
'investigation_status': 'Ongoing (criminal investigation)',
'lessons_learned': 'Need for faster public disclosure, improved data '
'retention policies, and better communication strategies '
'to avoid confusion and mistrust.',
'motivation': 'Financial gain (ransomware)',
'post_incident_analysis': {'corrective_actions': 'Updated data retention '
'processes, manual review of '
'compromised data, direct '
'notifications to affected '
'individuals.',
'root_causes': 'Hijacked website link leading to '
'unauthorized access, outdated data '
'retention practices, lack of '
'proactive public disclosure.'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '$2.5 million',
'ransomware_strain': 'Rhysida'},
'recommendations': ['Implement federal regulations for data breach '
'notifications to ensure consistency across states.',
'Delete old records that are no longer needed to reduce '
'exposure risk.',
'Improve public communication by proactively disclosing '
'breaches and providing clear, accessible information.',
'Ensure timely notifications to affected individuals to '
'allow them to take protective measures.'],
'references': [{'date_accessed': '2025-12-30',
'source': 'OPB (Oregon Public Broadcasting)'}],
'regulatory_compliance': {'regulatory_notifications': 'Direct notifications '
'to affected '
'individuals (Oregon '
'law compliance)'},
'response': {'communication_strategy': 'Direct letters to affected '
'individuals, no public disclosure '
'until December 2025',
'containment_measures': 'Freezing services, manual data review',
'law_enforcement_notified': 'Yes (criminal investigation '
'ongoing)',
'remediation_measures': 'Updated data retention processes, '
'enhanced data collection/storage '
'practices',
'third_party_assistance': 'IDX (identity protection company)'},
'threat_actor': 'Rhysida (ransomware group)',
'title': 'Oregon DEQ Data Breach - Personal Information Exposure',
'type': 'Data Breach'}