An Oregon DMV data breach has compromised roughly 3.5 million Oregonians’ IDs and drivers licenses, the department said Thursday.

The gravity of the situation is uncertain as the Oregon Department of Transportation refused to disclose what kind of personal information besides what is included on IDs and drivers licenses might be at risk. 

“It could include things beyond what is printed on the card itself,” Amy Joyce, the DMV administrator for the department, said at a Thursday news conference.

The breach was a part of a global hack of a third-party data transfer software, which is used by the Oregon Driver and Motor Vehicle Services Division, on June 1, the department said.

The number of affected people represents 82% or Oregon’s population. In 2021 there were 3.5 million licensed driver or ID card holders in Oregon.

The department realized data had been compromised on Monday, but it didn’t release any information about the incident until Thursday. 

ODOT’s analysis of the June 1 hack determined “unauthorized actors” were able to access DMV files shared via a file transfer software called MOVEit Transfer. The breach occurred before the department received a warning from the U.S. Department of Homeland Security indicating that the software was vulnerable to attackers. 

People who have a valid Oregon ID or drivers license should assume their personal information has been affected by the hack, the department said in a press release.

Carolyn Sullivan, Chief Administrative Officer for the department, said the department didn’t believe any financial transaction data such as credit card information was compromised as a result of the breach. However, the department’s only advice for the roughly 3.5 million Oregonians’ affected by the data breach was to monitor their credit reports for any unusual activity.