Gone Fishing: Hunter and Angler License Breach AlertFishing, Hunting License Applicants' Personal Data Potentially Exposed
It's rare that information security news involves fishing, rather than phishing. The latter involves cybercriminals sending real-looking but fake email messages in an attempt to lure victims into sharing personal details, installing malware or visiting dodgy sites. The definition of the former, meanwhile, remains the subject of thousands of jokes.
But Dallas-based Active Network has confirmed that a hacker attempted to steal user data relating to online applications for hunting and fishing licenses in Idaho, Oregon and Washington. Active Network provides a software-as-a-service application used for activity and participant management by a number of different types of organizations, ranging from marathon organizers and camps to churches and golf courses.
"On Aug. 22, we became aware that we were the victim of an unauthorized and unlawful attempt to access our online hunting and fishing licensing applications in Idaho, Oregon, and Washington," an Active Network spokesman tells me.
The potential hacking alert may have arrived via the website of daily newspaper The Oregonian, after someone used the newspaper's "contact us" page to claim to have stolen driver's license, Social Security data and cell phone numbers from license applicants, the newspaper reported. It said the Oregon Department of Fish and Wildlife took its online licensing system down on Aug. 23 before restoring it later in the day after concluding that no data breach had taken place.
But on Aug. 26, state CIO Alex Pettit announced that he'd ordered the site to be taken down again. "We are working with the vendor to determine if any personal information was indeed accessed while ensuring their system is secure before allowing Oregonians to use it," he said.
Scant Breach Details
Active Network has declined to comment about when the breach may have occurred, what was stolen or how it got a heads-up. But the Active Network spokesman tells me that after the company learned that it may have been breached, "within 15 hours, we conducted a full security sweep and tested and released an update to the three applications to address the reported threat."
A third-party digital forensic investigation firm hired by the software company is continuing to investigate the breach. "All indications are that this potential threat was isolated," the spokesman says, in apparent reference to the organization suspecting that only the three states' license information databases may have been breached.
The breach details provided directly by Active Network are scant - perhaps owing to the still-in-progress investigation. But Idaho Department of Fish and Game has released more substantial information. In an Aug. 26 website alert, the Idaho department says that it first received a warning about the breach on Aug. 23 and that it shut down the related online service the next day, when it issued a public alert about the breach, noting that it was suspending the sale of online tags and licenses "after being notified that its online license vendor's computer system was breached."
Via the Aug. 26 alert, it said that "the data breach apparently occurred sometime over the summer," and that "personal information potentially [exposed] includes name, age, address, and Social Security number." It explained that Idaho Fish and Game is required by state law to obtain this information to issue a license, and that no credit or debit card information appears to have been compromised, although it recommends applicants keep an eye on their financial statements, just in case.
Idaho: Pre-2008 Information at Risk
Idaho Fish and Game said that stolen information may relate to "Idaho residents and nonresidents who started buying hunting and fishing licenses and tags before 2008. Those who made their first license purchase after 2008 are not at risk." It emphasized that this information is state-specific.
Again, however, it's not yet clear whether personal data was inappropriately accessed. "Whether any of Idaho Fish and Game's license buyers' information was obtained has not yet been determined," it said. "Fish and Game is working with the online vendor to investigate the matter and determine whether and to what extent Idaho data was accessed."
The department notes that members of the public can still buy tags from Fish and Game offices as well as a variety of business that sell the licenses and tags by using a separate system that was not hacked. "Fish and Game officials regret the inconvenience to hunters and anglers, but are taking these steps out of abundance of caution," it said. "Fish and Game requested Active Network hire an independent cybersecurity firm to conduct a review and the company agreed to the request."
Free Fishing in Washington
Many states require anglers and hunters to obtain a license, at least when accessing public land or bodies of water. Idaho, for example, requires anyone who fishes in the state - and who's 14 years of age or older - to have a license and charges extra for fishing for salmon and steelhead or using two poles. A one-year adult fishing and hunting license for state residents costs $33.50.
In the wake of the breach alert, however, on Aug. 25, the Washington Department of Fish and Wildlife announced that it would be offering "free fishing" days until Aug. 30, by which time it hoped the situation would be resolved.
On Aug. 27, however, WDFW said via its Facebook page that it had restored the system and that telephone-based sales would resume Aug. 29, while free fishing would continue through Aug. 30.