The Oregon Department of Environmental Quality (DEQ) has refused to confirm whether employee data was exfiltrated during a recent cyberattack attributed to the Rhysida ransomware group. The agency, which disclosed the breach on April 9, 2025, has faced criticism for its lack of transparency despite cybersecurity researchers confirming the leak of 1.3 million files (2.4 TB) on dark web forums1.
Incident Timeline and Confirmed Impacts
The attack forced DEQ to shut down critical systems, including email services, permitting tools, and vehicle emissions testing infrastructure. Rhysida, a group known for targeting high-profile entities like the British Library and Port of Seattle, claimed responsibility on April 16 and leaked the data after the agency ignored a 30 Bitcoin (~$2.5M) ransom demand2. Forensic analysis revealed the stolen data included SQL databases containing sensitive employee records, though the DEQ has not verified this publicly3.
Technical and Operational Response
Oregon’s Enterprise Information Services is leading the investigation, focusing on malware removal and system rebuilding. While emissions testing services were partially restored by April 14, the DEQ’s refusal to engage with Rhysida or confirm data theft has complicated damage assessment4. The agency’s online portal for air/water permits remained operational, suggesting segmented network defenses limited the attack’s spread.
| Affected Systems | Status | Timeline |
|---|---|---|
| Vehicle Emissions Testing | Partially Restored | April 14, 2025 |
| DEQ Online Portal | Operational | Uninterrupted |
| Internal Email Systems | Offline | April 9–Present |
Broader Implications for Security Teams
Rhysida’s tactics follow a consistent pattern: exfiltrating data before encryption and using double extortion. The group’s dark web auction included screenshots of stolen files, a technique previously observed in their Port of Seattle attack5. For defensive teams, this highlights the need for:
- Enhanced monitoring of SQL database access patterns
- Segmentation of critical identity management systems
- Preparedness for data auction monitoring on dark web forums
The DEQ’s delayed communication—first acknowledging the attack 48 hours after detection—underscores challenges in public sector incident response protocols. Legal extensions for the Clean Fuels Program deadlines demonstrate operational ripple effects6.
Conclusion
This incident reflects growing ransomware risks to environmental agencies managing sensitive infrastructure data. While the full scope remains unclear, Rhysida’s successful data exfiltration suggests gaps in pre-attack detection capabilities. The DEQ’s rebuilding efforts will likely inform future public sector cybersecurity strategies.
References
- “Oregon DEQ cyberattack: 1.3 million files leaked by Rhysida group,” OPB, Apr. 25, 2025.
- “Oregon agency won’t say if hackers stole data in cyberattack,” AP News, Apr. 24, 2025.
- “Oregon DEQ won’t confirm employee data theft in ransomware attack,” Oregonian, Apr. 26, 2025.
- “Rhysida claims Oregon DEQ hack despite agency denial,” SecurityWeek, Apr. 25, 2025.
- “Oregon Clean Fuels Program delayed by cyberattack,” Carbon Pulse, Apr. 22, 2025.
- “Oregon DEQ data leak confirmed by cybersecurity researchers,” Central Oregon Daily, Apr. 25, 2025.
