DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Four states’ fishing and hunting licensing sites hacked (update3)

Posted on August 24, 2016 by Dissent

The databases of four state wildlife sporting licensing sites have been hacked, according to an individual who claims to be the hacker.

On Monday, an individual calling him/herself “Mr. High” posted the following on an AlphaBay forum:

I just hacked four websites and reported the security holes. Two of these were government websites. All of these websites pertain to one type of activity that requires registering PI. Each website is contained to one state. I got over six million pieces of personal information from these websites. This should make the news. I’ll list the exact websites once the security hole is patched and/or it makes the news.

Ten hours later, there was an update:

It looks like two of the security holes have been patched. The other two still remain open. …. Usually it takes a few days for it to make the news. But I can see that one of these websites had a minor “kiddiot” hack not to (sic) long ago. Looks like they didn’t take the time to fix a much more serious error

The reference to a previous hack appears to be a reference to a hack of the Washington state site, reported in June.

Mr. High provided the totals and types of personally identifiable information from each website and state:

2,435,452 – Washington
Name, DOB, Address, DL#, Last Four Digits of SSN, Height, Weight, and Eye Color. Some have email and/or phone.

2,126,449 – Kentucky
Name, DOB, Address, and Last Four Digits of SSN. Some have email and/or phone.

1,195,204 – Oregon
Name, DOB, Address, and DL#. Some have email and/or phone.

788,064 – Idaho
Name, DOB, Address, DL#, Full SSN, Height, Weight, Hair Color, and Eye Color. Some have email and/or phone.

The Washington site was subsequently identified as the state’s hunting and fishing licensing site. At the time of this posting, a message on the site reads:

Thank you for visiting our Hunting & Fishing website. The system is temporarily undergoing maintenance. Please try again later. Thank you, and we apologize for the inconvenience.

The Kentucky site was subsequently identified as the Kentucky Department of Fish and Wildlife, while the Oregon site was  identified as the Oregon Department of Fish and Wildlife , and the Idaho site was identified as the Idaho Department of Fish and Game.

Apart from the Washington site, the other three sites appear online, and none of the four have any notice concerning any breach or data security incident.

In another forum elsewhere, “Mr. High” noted that the Kentucky agency responded quickly to the notification:

Also, the admin from the site in Kentucky replied quickly and is one of the only two that patched the security hole. From the name, it was a female and she was thankful. I also contacted a couple of ‘hacking news’ sites and gave them the info.

[DataBreaches.net was not one of the news sites contacted by Mr. High. This site received a tip to check into the forum posts.]

Although Mr. High thinks that these hacks should trigger notification obligations, and the types of PII involved for three of the four states might trigger breach notification obligations, it’s not clear to me whether licensing application information might be considered public records in some states, in which case, there might be no notification obligations. I’ll leave that question to the lawyers.  But if the applications are not public records, then those sites where individuals’ driver’s license numbers or full Social Security numbers were acquired in plain text may trigger notifications.  We’ll have to wait and see, I guess….

Update 1: KATU has picked up the story. One state (Washington) indicated that the flaw was in a vendor’s sales system, but it hasn’t indicated/named the vendor. Other mainstream media are reporting that both Washington and Idaho have suspended license sales, but no one’s naming any vendor so far, so there may be one vendor that may also account for the other two states – plus other states that have been similarly hacked in the past year. This post will be updated as more information becomes available.

Update 2: At least two states seem to use Active Network as their vendor for online applications. Active Network was sent an inquiry on August 25 asking them to confirm or deny that they are the vendor involved, but DataBreaches.net has gotten no response yet. This post will be updated as more information becomes available.

Update 3: Aha. It is Active Network, who still haven’t replied to this site’s inquiry. They’re probably busy fielding questions from all their customers who will also want to know if they could be affected.

Category: Breach IncidentsGovernment SectorHackOf NoteSubcontractor

Post navigation

← Mail.ru Forums Hack Compromises over 25 Million User Accounts
Do you or a family member have a Health Savings Account? If so, read this. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.