Well, from reading news coverage, I knew this was coming, but here’s the official announcement: ACTIVEOutdoors, the vendor involved in the hack of several states’ hunting and fishing license sites, will be offering two years of credit monitoring services to people in three states. Here is their announcement:
ACTIVEOutdoors announced today that on August 22, 2016, it became aware that it was the victim of an unauthorized and unlawful access to certain information in the state online hunting and fishing applications that ACTIVEOutdoors operates on behalf of the states of Idaho, Oregon, and Washington. The ACTIVEOutdoors team immediately began an investigation in coordination with the impacted states, and within a few hours had released an update to those applications to address the reported threat.
As an additional protective measure, ACTIVEOutdoors engaged a top-tier cybersecurity firm to conduct an independent review. That review confirmed that the incident was successfully addressed and was isolated to those three states with respect to hunting and fishing accounts that were created prior to July 2006 for Washington customers, and July 2007 for Idaho and Oregon customers. Importantly, no credit card or financial information was involved, and ACTIVEOutdoors is not aware of any fraud associated with this incident. No other system or property of ACTIVEOutdoors or its related businesses were impacted by this incident.
For persons who applied for or purchased hunting and fishing licenses in the impacted states during this timeframe, it has been determined that name, address, date of birth, and driver’s license number were potentially accessed for Oregon and Washington customers. Additionally, full Social Security numbers may have been accessed for customers who applied for or purchased Idaho hunting and fishing licenses prior to July 2007.
ACTIVEOutdoors is committed to working with the state agencies and law enforcement in their ongoing investigation of the incident.
Letters to those potentially impacted by the incident will be mailed beginning on Monday September 19, 2016. These letters include an explanation of the incident, an offer of two years of free identity protection and restoration services, and information about additional ways impacted individuals can protect themselves.
Consumers should note that under no circumstances will ACTIVEOutdoors or the three impacted states call you or send you a message and ask for your personal information in connection with this incident. You should not provide personal information to anyone who calls you or sends you a message about this incident.
To Learn More
ACTIVEOutdoors has established a website, which will be available starting on Monday September 19, 2016 at 9am CDT, where people can check to see whether their information was potentially impacted, receive instructions on how to access identity protection and restoration services, and receive tips to protect against identity theft. The website address is https://activeoutdoors.allclearid.com.
Would be nice if breaches like this boosted grassroots support for an alternative solution to SSNs for identification purposes. At this point, may be easier to come up with a more secure system for Social Security and tax purposes (perhaps including 2FA) and leave the old SSNs out there as an non-secure national ID number.
Another thought: the dates referenced in the announcement quoted above are open ended, “…accounts that were created prior to July 2006 for Washington customers, and July 2007 for Idaho and Oregon customers. ” Seems like they should include a start date too, otherwise, they are suggesting that decades of licensees are affected. I’ll go on the site tomorrow to see if my now-deceased father is on their list (Washington State resident); I don’t know when he last got a fishing license, but it will be interesting to see how far back their data goes.
Let us know what you find, please.
OK – I went to the site and input my deceased father’s name and my e-mail address. I was sent a message, which in the relevant part says,
“ACTIVEOutdoors sincerely apologizes for any inconvenience or concern caused by this incident and we are committed to taking steps to protect your personal information. As an added precaution, we have arranged to have AllClear ID provide you with two years of identity repair at no cost to you. The following service starts on the date of this notice, and you can use it at any time during the next two years.
AllClear Identity Repair. This service is automatically available to you with no enrollment required. If a problem arises, simply call 1-855-260-2772 (toll-free) and a dedicated investigator will help recover financial losses, restore your credit, and make sure your identity is returned to its proper condition.
We want to reassure you that we are committed to working with the relevant state agencies and law enforcement to assist in their own investigations into this matter. At this time, ACTIVEOutdoors is not aware of any fraud associated with this incident. Nevertheless, we recommend that you remain vigilant by regularly reviewing account statements and monitoring free credit reports.
Should you have any questions regarding this incident, please call 1-855-260-2772 (toll-free).”
Notably, I didn’t provide them any information other than his name and my email address.
Then, I did the same with my own name and email address. I received an identical e-mail message. I called the toll free number and they told me that I did not need to do anything else to receive the free service and that there was no enrollment process other than what I did. I have not had a fishing license for 20+ years, and at this point don’t know if they are checking my name against the breached data or if they can somehow sign up people for an ID protection service using only an email address and name. I will add another comment if I hear from them again.
Thank you. It sounds like they’re basing the offer just on name – or worse, just on the fact that someone contacts them. Weird.