Oregon's new REAL ID driver's license. File photo

An Oregon judge last week threw out a lawsuit that sought to recover damages for as many as 3.5 million Oregonians whose driver license or ID card information was stolen in a massive international data breach in 2023.

Marion County Circuit Judge James Edmonds dismissed the case with prejudice — meaning it can’t be refiled — after the state of Oregon argued that plaintiffs’ lawyers couldn’t directly link the theft of personal information to any Oregonian suffering financial losses. Although the plaintiffs’ lawyers pointed to one case where someone tried to open a Chase Visa card account, the bank caught the fraudulent application and shut it down before any damage was done, lawyers for the state successfully contended.

The plaintiffs, Caery Evangelist, Brian Els and Bradley Larios, sought class-action status for all affected state residents whose information – including names, addresses, dates of birth, last four digits of Social Security numbers, heights and weights – were hacked in May 2023 by a Russian cybergang, according to the lawsuit.

Also hacked were an estimated 2,770 public and private organizations, from New York City schools to British Airways and the BBC, amounting to more than 90 million victims worldwide, according to the anti-malware company Emsisoft.

Oregonians’ driver license and other personal data was accessed through data collected by Oregon Driver & Motor Vehicle Services, which is a division of the Oregon Department of Transportation.

State officials didn’t respond to a request for comment for this story.

The lawsuit states that a critical flaw in the department’s “MOVEit” software, provided by Progress Software Corporation, created a vulnerability that the thieves exploited. The plaintiffs faulted the state for allegedly not appropriately acting to protect Oregonians against that weakness.

“Their (the state’s) argument was ‘We weren’t the ones protecting the data. We hired this data provider. There’s the ones that got hacked. It’s unfair to blame us,’” said Paul Barton, a Portland attorney representing the plaintiffs. “And our argument was ‘Well, you’re the ones who hired them. You had some duty of oversight, to make sure they had the proper protections in place.’”

The suit — for reasons that weren’t explained — didn’t also list Progress Software Corporation as a defendant. Barton said he didn’t focus on that aspect of the case. His co-counsels in Oklahoma and New York, whom he said might be able to explain, couldn’t be reached for comment.

The lawsuit had sought a minimum of $10 million from the state as well as a lifetime of credit monitoring and identity theft insurance for all residents who were victimized.