DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Four states’ fishing and hunting licensing sites hacked (update3)

Posted on August 24, 2016 by Dissent

The databases of four state wildlife sporting licensing sites have been hacked, according to an individual who claims to be the hacker.

On Monday, an individual calling him/herself “Mr. High” posted the following on an AlphaBay forum:

I just hacked four websites and reported the security holes. Two of these were government websites. All of these websites pertain to one type of activity that requires registering PI. Each website is contained to one state. I got over six million pieces of personal information from these websites. This should make the news. I’ll list the exact websites once the security hole is patched and/or it makes the news.

Ten hours later, there was an update:

It looks like two of the security holes have been patched. The other two still remain open. …. Usually it takes a few days for it to make the news. But I can see that one of these websites had a minor “kiddiot” hack not to (sic) long ago. Looks like they didn’t take the time to fix a much more serious error

The reference to a previous hack appears to be a reference to a hack of the Washington state site, reported in June.

Mr. High provided the totals and types of personally identifiable information from each website and state:

2,435,452 – Washington
Name, DOB, Address, DL#, Last Four Digits of SSN, Height, Weight, and Eye Color. Some have email and/or phone.

2,126,449 – Kentucky
Name, DOB, Address, and Last Four Digits of SSN. Some have email and/or phone.

1,195,204 – Oregon
Name, DOB, Address, and DL#. Some have email and/or phone.

788,064 – Idaho
Name, DOB, Address, DL#, Full SSN, Height, Weight, Hair Color, and Eye Color. Some have email and/or phone.

The Washington site was subsequently identified as the state’s hunting and fishing licensing site. At the time of this posting, a message on the site reads:

Thank you for visiting our Hunting & Fishing website. The system is temporarily undergoing maintenance. Please try again later. Thank you, and we apologize for the inconvenience.

The Kentucky site was subsequently identified as the Kentucky Department of Fish and Wildlife, while the Oregon site was  identified as the Oregon Department of Fish and Wildlife , and the Idaho site was identified as the Idaho Department of Fish and Game.

Apart from the Washington site, the other three sites appear online, and none of the four have any notice concerning any breach or data security incident.

In another forum elsewhere, “Mr. High” noted that the Kentucky agency responded quickly to the notification:

Also, the admin from the site in Kentucky replied quickly and is one of the only two that patched the security hole. From the name, it was a female and she was thankful. I also contacted a couple of ‘hacking news’ sites and gave them the info.

[DataBreaches.net was not one of the news sites contacted by Mr. High. This site received a tip to check into the forum posts.]

Although Mr. High thinks that these hacks should trigger notification obligations, and the types of PII involved for three of the four states might trigger breach notification obligations, it’s not clear to me whether licensing application information might be considered public records in some states, in which case, there might be no notification obligations. I’ll leave that question to the lawyers.  But if the applications are not public records, then those sites where individuals’ driver’s license numbers or full Social Security numbers were acquired in plain text may trigger notifications.  We’ll have to wait and see, I guess….

Update 1: KATU has picked up the story. One state (Washington) indicated that the flaw was in a vendor’s sales system, but it hasn’t indicated/named the vendor. Other mainstream media are reporting that both Washington and Idaho have suspended license sales, but no one’s naming any vendor so far, so there may be one vendor that may also account for the other two states – plus other states that have been similarly hacked in the past year. This post will be updated as more information becomes available.

Update 2: At least two states seem to use Active Network as their vendor for online applications. Active Network was sent an inquiry on August 25 asking them to confirm or deny that they are the vendor involved, but DataBreaches.net has gotten no response yet. This post will be updated as more information becomes available.

Update 3: Aha. It is Active Network, who still haven’t replied to this site’s inquiry. They’re probably busy fielding questions from all their customers who will also want to know if they could be affected.

Category: Breach IncidentsGovernment SectorHackOf NoteSubcontractor

Post navigation

← Mail.ru Forums Hack Compromises over 25 Million User Accounts
Do you or a family member have a Health Savings Account? If so, read this. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.