Oregon Department of Corrections reports data breach, says info doesn’t appear to be at risk

SALEM, Ore. (KTVZ) -- The Oregon Department of Corrections reported details Friday of a recent data breach that involved human error, not a cyberattack, and the mistaken mailing of an internal spreadsheet with personal information about over 850 people.

Here are the details, as shared by the department:

WHAT HAPPENED

On September 9, Oregon Department of Corrections (ODOC) discovered that a staff member mistakenly emailed an internal spreadsheet to two individuals wishing to visit one of its institutions. This spreadsheet included the personal information of 861 individuals on whom ODOC had completed background checks. This mis-mailing was on August 28 and 29. 

Once ODOC learned of the error, immediate action was taken. ODOC contacted the two email recipients and coordinated an appropriate response with its State-side information security resources. It was confirmed the emails and their attachments were fully deleted from both recipients’ email and from State mail systems on September 16, 2024. 

WHAT INFORMATION WAS INVOLVED

The protected information inadvertently shared is the combination of each individual’s name, and drivers’ license or state identification number. This is “personal information” protected under the Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 et seq. Other information relating to background checks (such as approval or denial and reason) was also summarized in the spreadsheet, as was dates of birth and FBI Numbers. No Social Security numbers or financial information was in the spreadsheet.

WHAT ODOC IS DOING

ODOC takes this event very seriously. ODOC reported the incident to the Oregon State Police and to the State’s Cyber Security Services office; and confirmed the information was deleted from State mail systems and recipients’ emails. Additionally, ODOC has been working with facility staff and the State’s Cyber Security Services office to take specific steps to limit the likelihood of future errors of this kind. It is also evaluating additional measures to further enhance protocols for the protection of visitors’ personal information.

Again, this exposure was due to error and was not the result of a cyberattack. It does not appear individuals’ information is at risk. However, to assist in protecting those affected against identity theft, ODOC is making 12 months of identity theft resolution services available at no cost. 

The Oregon Department of Corrections is committed to protecting individuals' information. Immediate action was taken to investigate and address the vulnerabilities of this breach, and to implement corrective actions. DOC reaffirms its commitment and dedication to the safety and security of individuals’ information.