The databases of four state wildlife sporting licensing sites have been hacked, according to an individual who claims to be the hacker.
On Monday, an individual calling him/herself “Mr. High” posted the following on an AlphaBay forum:
I just hacked four websites and reported the security holes. Two of these were government websites. All of these websites pertain to one type of activity that requires registering PI. Each website is contained to one state. I got over six million pieces of personal information from these websites. This should make the news. I’ll list the exact websites once the security hole is patched and/or it makes the news.
Ten hours later, there was an update:
It looks like two of the security holes have been patched. The other two still remain open. …. Usually it takes a few days for it to make the news. But I can see that one of these websites had a minor “kiddiot” hack not to (sic) long ago. Looks like they didn’t take the time to fix a much more serious error
The reference to a previous hack appears to be a reference to a hack of the Washington state site, reported in June.
Mr. High provided the totals and types of personally identifiable information from each website and state:
2,435,452 – Washington
Name, DOB, Address, DL#, Last Four Digits of SSN, Height, Weight, and Eye Color. Some have email and/or phone.2,126,449 – Kentucky
Name, DOB, Address, and Last Four Digits of SSN. Some have email and/or phone.1,195,204 – Oregon
Name, DOB, Address, and DL#. Some have email and/or phone.788,064 – Idaho
Name, DOB, Address, DL#, Full SSN, Height, Weight, Hair Color, and Eye Color. Some have email and/or phone.
The Washington site was subsequently identified as the state’s hunting and fishing licensing site. At the time of this posting, a message on the site reads:
Thank you for visiting our Hunting & Fishing website. The system is temporarily undergoing maintenance. Please try again later. Thank you, and we apologize for the inconvenience.
The Kentucky site was subsequently identified as the Kentucky Department of Fish and Wildlife, while the Oregon site was identified as the Oregon Department of Fish and Wildlife , and the Idaho site was identified as the Idaho Department of Fish and Game.
Apart from the Washington site, the other three sites appear online, and none of the four have any notice concerning any breach or data security incident.
In another forum elsewhere, “Mr. High” noted that the Kentucky agency responded quickly to the notification:
Also, the admin from the site in Kentucky replied quickly and is one of the only two that patched the security hole. From the name, it was a female and she was thankful. I also contacted a couple of ‘hacking news’ sites and gave them the info.
[DataBreaches.net was not one of the news sites contacted by Mr. High. This site received a tip to check into the forum posts.]
Although Mr. High thinks that these hacks should trigger notification obligations, and the types of PII involved for three of the four states might trigger breach notification obligations, it’s not clear to me whether licensing application information might be considered public records in some states, in which case, there might be no notification obligations. I’ll leave that question to the lawyers. But if the applications are not public records, then those sites where individuals’ driver’s license numbers or full Social Security numbers were acquired in plain text may trigger notifications. We’ll have to wait and see, I guess….
Update 1: KATU has picked up the story. One state (Washington) indicated that the flaw was in a vendor’s sales system, but it hasn’t indicated/named the vendor. Other mainstream media are reporting that both Washington and Idaho have suspended license sales, but no one’s naming any vendor so far, so there may be one vendor that may also account for the other two states – plus other states that have been similarly hacked in the past year. This post will be updated as more information becomes available.
Update 2: At least two states seem to use Active Network as their vendor for online applications. Active Network was sent an inquiry on August 25 asking them to confirm or deny that they are the vendor involved, but DataBreaches.net has gotten no response yet. This post will be updated as more information becomes available.
Update 3: Aha. It is Active Network, who still haven’t replied to this site’s inquiry. They’re probably busy fielding questions from all their customers who will also want to know if they could be affected.