About 4,800 members of the public had their personal information exposed after a cyber attack on the Oregon Department of Environmental Quality’s servers — but nine months later, the agency has yet to publicly disclose the scope of the leak.
A letter from the Oregon Department of Environmental Quality on Dec. 30, 2025 notifies a person that their information was impacted in a data breach. About 4,800 members of the public had their personal information exposed in the April 2025 Cyberattack.
Saskia Hatvany / OPB
As OPB previously reported, many DEQ staff were without access to their computers for close to two weeks after an April 2025 cyber attack. But the agency only confirmed that the leak was much larger than first reported — and that personal data of thousands of people had been leaked — in response to questions from OPB this week.
DEQ appears to have known about the leak since June.
Staff said they have updated the agency’s data retention processes as a response to last year’s breach. They said it primarily affected people from outside DEQ whose information was stored in the agency’s “older records.”
“DEQ no longer collects that information and has updated data collection, storage, and retention processes for its programs,” staff said in a statement to OPB.
They didn’t answer a question asking why the agency waited six months before notifying people of the leak, saying only that “we cannot speak to specific notifications or individuals impacted.”
They noted a criminal investigation is ongoing.
Agency staff told OPB that Oregon law doesn’t require it to publicly disclose that its sensitive records were leaked in a cyber attack. The agency has instead sent letters directly to people who were affected.
“There was no call to action for the general public, as there was no additional risk to DEQ systems or the general public discovered during the data forensics and individual notification process,” DEQ staff said. “Impacted persons were notified directly in accordance with Oregon law, using the contact information available.”
Most people affected by the breach didn’t receive notifications until late December.
An expert in identity theft and cyber security, however, says it is best practice for institutions to move more quickly when handling a data leak. And the letters the agency eventually did send out left some Oregonians confused — including Jack Terrill, a retiree in Aloha who originally thought it might be a scam.
Terrill shared a copy of the letter he received with OPB. It says that on June 27, DEQ confirmed his personal information, including his social security number, was leaked. But the agency didn’t send him a notification of the leak until six months later, on Dec. 30.
Another 4,543 people also didn’t receive notifications until then.
Terrill worried that the letter he received late last month was a scam because he couldn’t find updated information about a data leak on DEQ’s website. And although his letter said it was from Oregon DEQ, it was postmarked out of West Sacramento, California. The letter also included a link to a business he had never heard of before, IDX.
Cyber security experts generally advise people, particularly seniors who are vulnerable to identity theft, not to visit unknown links and to verify information in some way — like by going directly to the source.
“It is very important that people do a level of verification,” said James Lee, president of the Identity Theft Resource Center, a nonprofit that advocates for identity protection and helps victims of cyber attacks.
So, Terrill tried to verify the information in his letter by calling DEQ directly.
“I’ve been the last two days calling DEQ on every number I can find,” Terrell told OPB. “And nobody’s ever called me back.”
Each time he called DEQ, he said, a receptionist would forward him to a different person, and he’d get a voicemail. One of those voicemails said the staffer was out of office until September.
“I think everybody left the office,” Terrill said. “I think they’re all over in Hawaii or something on vacation.”
OPB reached out to multiple agencies — DEQ, the Oregon Department of Administrative Services, the state Department of Justice, and Gov. Tina Kotek’s office — to verify whether Terrill’s letter was legitimate.
Multiple spokespeople with these agencies wouldn’t immediately confirm if Terrill and other Oregonians’ information had been leaked. A spokesperson with Kotek’s office said more information about the data breach might become available during a DEQ legislative presentation in a week. She didn’t know what information would be included in that presentation.
Kotek’s spokesperson also wasn’t aware that DEQ had yet to publicly announce that people’s personal information had been leaked.
After OPB’s inquiries to multiple state agencies, Terrill received a call from a DEQ spokesperson. He said she confirmed that the letter was legitimate and that his leaked information was likely tied to a DEQ asbestos removal training he participated in years ago.
“I don’t know why they just don’t put it on the news and say, ‘Hey, if you took a course in certain things that we’ve done, your information might be compromised,’” Terrell said. “I mean, it’s simple as that. Be honest with people.”
Terrill said he’s relieved that he now understands the background to what he had considered an ominous letter. But he worries other people might also become confused due to the lack of information from DEQ.
“I think they sent these letters out hoping everybody would just keep their mouth shut,” he said.
Criminal investigation is ongoing
Lee, with the Identity Theft Resource Center, said businesses and other organizations should inform people of a potential data leak right away.
“It is always better to get the information out as quickly as possible,” Lee said. “The sooner that we can get people notified that their information has been compromised, the sooner they can take steps to protect themselves.”
Lee acknowledged these decisions can be complicated. And every state has its own laws regulating when an agency or business needs to inform someone that their information was leaked.
Lee wishes there were more federal regulations.
“Where you live should not make a difference about what happens when your identity is compromised,” Lee said.
He added that it’s generally best practice for organizations to delete old records that aren’t needed. That appears not to have happened in this case.
When Terrill spoke to DEQ staff about his leaked information, they told him his details were linked to an asbestos removal certification he received more than five years ago, he said.
“Why do they have the information still?” Lee said when told of Terrill’s years-old asbestos certification records. “If you don’t need the information, don’t collect it. If you do have to collect it, only keep it as long as you need it.”
A criminal investigation into the data breach is ongoing. DEQ is contracting with IDX, an identity protection company, to notify victims and to provide protection services.
“As batches of data analysis were provided to the agency from IDX, DEQ then reviewed the information to verify any compromised personal information on an individual basis,” staff told OPB. “This manual process was needed to ensure accuracy, avoid any duplication and fulfill all necessary notification requirements (address confirmation, name verification, etc.).”
The agency notified 80 people in August, 191 people in September, 12 people in early December, and the remaining 4,544 people on Dec. 30.
Oregon's Department of Environmental Quality website on April 25, 2025.
April Ehrlich / OPB
The breach, the leak and the dark web
DEQ regulates air quality, toxins, waste and recycling. It also runs vehicle smog inspections that are required for driver registrations in the Portland and Medford areas.
In early April, the agency sent a press release about an upcoming event to members of the public, media organizations and other state agencies. A week later, it internally warned its staff that a website it had linked to within that press release had been hijacked, according to records obtained by OPB. If anyone clicked the link, the agency’s IT department warned, hackers could gain access to their computer systems.
The agency didn’t warn the public or media organizations about the hijacked link within the press release they had also received.
Days later, DEQ announced it had to freeze most of its services after a potential cyber attack. Many of its employees didn’t have working laptops for weeks. DEQ posted multiple updates denying that there had been a data breach. It has yet to provide the public with an official update since April 25.
As OPB reported at the time, a well-known ransomware group called Rhysida claimed it had stolen files from DEQ’s servers. The group claimed to be holding the files for ransom amounting to about $2.5 million.
The ransomware group later released 1.3 million files amounting to 2.4 terabytes of data on the dark web, a part of the internet that’s only accessible through special software. It claimed the files were from DEQ’s servers. OPB reviewed those files, which appeared to include some DEQ employees’ personal information.
During interviews and email exchanges with OPB last year, DEQ declined to specify if the hijacked website is what led to the cyber attack.
