Just one day before a cyberattack shut down Oregon’s Department of Environmental Quality for several days, the agency’s IT staff warned employees about the risk of hackers.

A cyberattack forced the DEQ to close all its vehicle inspection stations and shut down its networks for several days earlier this month. The attack is being investigated by Enterprise Information Services, a state agency under the Department of Administrative Services.

In an email to DEQ staff on April 8, the agency informed staff that a press release it had sent to subscribers on its email list, which includes members of the public, the media, and other state agencies, contained a link to a third-party website that had been compromised by hackers.

According to Oregon Public Broadcasting, which first reported the news, DEQ did not warn the public or members of its email subscribers about the contaminated link. The link was intended to allow people to register for an upcoming event, but the registration site had been hacked.

“If the link is clicked, it takes you to a hijacked website and asks you to verify that you are human,” the message from DEQ read. “During this process, it asks you to run a command on your system that downloads malicious content to your computer and could provide outside entities access to DEQ networks.”

Following the cyberattack on April 9, the hacking group Rhysida later posted files online that it claimed to have taken from the agency. Neither DEQ nor Enterprise Information Services has verified those claims. The files include terabytes of data and are said to include sensitive information about DEQ employees.

Lauren Wirtis, a spokesperson with DEQ, said the agency did receive a message from someone claiming to have DEQ data, but said Enterprise Information Services — referred to by its acronym DAS EIS — determined that message to be a scam.

“Per DAS EIS recommendations, we noted that such scams are common and created a form where staff could report scams,” she said.

Wirtis said that the agency has received more than one claim from people declaring responsibility for the cyberattack and asking for a ransom, but she stressed that scams are common during cyberattacks.

Wirtis said staff were told on April 17 about the further claims made against DEQ, and advised staff to take precautions to protect their identities, but said the agency is not yet able to confirm what information was taken.

“The investigation into that attack is still underway,” Wirtis said. “We are working across DEQ and (Enterprise Information Services) and with external forensics experts to complete the investigation into what, if any, protected information was stolen during the cyberattack.”