A hacker found a vulnerability in the online licensing system used by Idaho’s Department of Fish & Game last month and used it to access the personal data of as many as 788,000 licensees.
But he might have been more of the “white hat” variety hacker. Rather than sell the data he accessed from Idaho’s system and those in three other states, the intruder might have hacked in as a warning that the systems were vulnerable. After getting in, he informed authorities and site administrators of the breach, and he didn’t identify the sites he accessed until the security holes were closed or the sites taken down.
The matter is under criminal investigation by federal authorities, and Fish & Game isn’t saying much more about it for now. But the incident raises some questions on the security of the state network and how the many public-facing systems interact, or don’t.
Does the Fish & Game data breach mean other state systems might be at risk?
Sign Up and Save
Get six months of free digital access to The Idaho Statesman
Not from the same exploit, certainly, which has been closed. Also, the Fish & Game licensing operation is separate from other state systems.
Still, those systems were double-checked after the latest breach was discovered. To understand better, here’s a short drill-down into the basics of the state’s online presence:
Idaho’s method of offering online services is decentralized. Most online services are part of Access Idaho, which runs the overall state site, idaho.gov, and everything under it. Created in 1999, Access Idaho is run by the Idaho Information Consortium, a subsidiary of the National Information Consortium, a Kansas-based, publicly traded company that works with 3,500 federal, state and local agencies in the U.S., including 27 state governments.
788,064The number of Idaho Fish & Game licensees whose personal data was accessed, according to the hacker who goes by the handle Mr. High.
After the Fish & Game breach was discovered, Access Idaho “started a deep monitoring of their system for a day and a half to make sure that this wasn’t a broader kind of attack against Idaho,” said Bill Farnsworth, who works in the state Department of Administration’s chief information officer’s office and chairs the Access Idaho steering committee. Though officials are scanning all the time for trouble, they found no unusual traffic or activity, he said.
The state website lists nearly 200 requests, services or other actions you can process online, such as renew a license, pay child support, or order and obtain documents. Most online services offered through state agencies are managed by Access Idaho, although agencies are not required to go that route. The Fish & Game licensing system, and the Parks and Recreation reservation system, are two that are not managed by Access Idaho. The state Tax Commission uses a system called Gentax, made by Fast Enterprises.
“From my perspective, we encourage agencies to use Access Idaho because they have the expertise and the level of security and everything else to take this on,” Farnsworth said.
So what’s the status of the Fish & Game licensing system now?
The system is still offline, although the vulnerability was patched the day it was discovered. The matter is still under investigation by the FBI and the Department of Homeland Security, and both the vendor and the state want to ensure that the site is secure before bringing it back.
A study found public sector cybersecurity incidents were nearly two-thirds of the total. Among actual breaches, fewer than 1 in 10 involved government sites.
Why were only pre-2008 licensees affected? Whose data is potentially at risk, and how can I know if mine is?
The current vendor, Active Network, took over the operation that year and changed the way records were kept. Anyone who registered before that changeover is potentially affected, regardless of whether they obtained their license online, by mail or in person. Active Network will be contacting all affected users directly by mail.
Is Idaho taking steps to review and improve security?
Yes, and they predate the latest breach. Gov. Butch Otter formed the state Cybersecurity Task Force in July 2015. The panel, chaired by Lt. Gov. Brad Little, has been meeting since last September. It gave a presentation to legislative budget writers in February.
One of the real problems with this is that people don’t like to admit they’ve been hacked or breached.
Lt. Gov. Brad Little, who chairs the state Cybersecurity Task Force
Central to the group’s discussion: Should control and oversight of all online services under Idaho government auspices be centralized? Or should agencies continue to have the option to set up their own outside arrangements, as in the case of Fish & Game?
“We’ve got a subcommittee working on it,” Little said Friday. The latest incident “just kind of put an exclamation point on it.”
So how secure are government computer networks? Are Idaho’s more or less secure than other states?
Not to be facetious, but the most accurate answer might be: As secure as possible. Cybersecurity is a constantly moving target. There’s a reason that an annual report on data breaches prepared by Verizon notes that no locality, industry or organization is bulletproof. Idaho, being a smaller state, is possibly a lower-value target. And financial transactions, such as payment processing, are handled by outside systems.
In terms of public sector sites overall, the 2016 Verizon report catalogs more than 100,000 incidents and 3,141 confirmed data breaches in 82 countries in 2015. Verizon analyzed about 64,000 of those and found that more than 70 percent of them involved public sector institutions. That number is somewhat inflated because government has more requirements to report breaches.
“One of the real problems with this is that people don’t like to admit they’ve been hacked or breached, and bad guys share their stuff,” Little said.
But public sector hacks were largely unsuccessful. Of the 2,260 confirmed breaches Verizon looked at, just 193, or 8.5 percent, involved governments or public agencies. More than one-third of the successful breaches involved financial services companies.
That makes scary sense, given that the No. 1 motivation for hacking, by far, is for financial gain, followed by espionage.
Way behind, in the No. 3 spot, is “Fun.”
Identity theft: What you can do
Idaho Fish and Game says the vendor that manages its licensing website will contact users whose data might have been accessed in the recent site hack.
Concerned about identify theft? The Federal Trade Commission hosts a number of resources:
▪ For information on prevention, visit ftc.gov/idtheft.
▪ To report identity theft, visit identitytheft.gov.