State Politics

Idaho Fish and Game hacker could face harsh cybercrime penalties

A screenshot from the internet forum where hacker “Mr. High” posted on Aug. 19 about a data breach that included the state of Idaho’s Fish & Game licensing system.
A screenshot from the internet forum where hacker “Mr. High” posted on Aug. 19 about a data breach that included the state of Idaho’s Fish & Game licensing system. Boise

The hacker who breached the Idaho Fish and Game’s online system for obtaining hunting and fishing licenses could face harsh penalties under federal law, even if he – or she – didn’t actually steal or sell any data.

The federal Computer Fraud and Abuse Act lists seven types of criminal activity. One of them is trespassing on a government computer, even if no data is obtained.

The 1986 law has been updated six times, but critics say some of its proscriptions are outdated and its language and enforcement overly broad. For example, the law makes it a federal crime to access a “protected” computer without authorization, or to “exceed authorized access.”

“Protected” computer has been broadly defined in the courts as any computer connected to the internet, and exceeding authorized access could include minors lying about their age to sign up for Facebook, or allowing someone else to log in to one of your accounts.

In April, a former Reuters reporter was sentenced to two years in prison under the law after being found guilty of sharing login credentials to the Los Angeles Times website in an anonymous chat room. The credentials were used to deface a story on the site in 2010.

In 2013, Aaron Swartz, an activist for free online information, killed himself after the government charged him cyber crimes for downloading 4 million articles from a paywalled academic archive at MIT.

Idaho state law also sets forth felony and misdemeanor levels of computer crime. Federal law enforcement is investigating the incident but it is not yet known whether the state also may seek charges.

Hacker posts details online

Based on his own postings in online forums, the Fish and Game hacker is believed to have accessed personal data for 6.5 million people in Washington, Oregon, Kentucky and Idaho. About 788,000 Idaho license holders are potentially involved. The breach affects users who obtained an Idaho license before 2008. Investigators and state officials don’t know if the hacker actually downloaded data or just figured out how to access it by exploiting a security weakness in how older user IDs were assigned by the system.

The data subject to the breach included names and addresses, birth dates, driver’s license numbers, email addresses and phone numbers, personal details such as height, weight and hair color, and partial or full Social Security numbers. Idaho law requires applicants for professional, occupational or recreational licenses to provide complete Social Security numbers, thus making them obtainable by the hacker. Only partial numbers were obtainable in the other states.

The hacker, using the handle MrHigh, posted about the exploit, which involved data from Washington, Oregon, Idaho and Kentucky. All but Kentucky use the same outside vendor to provide the licensing service.

Payment information is handled by another system and was not exposed in the breach.

Active Network, the contractor who runs the registration for Idaho, Washington and Oregon, patched the vulnerability the day it was first reported, on Aug. 22. MrHigh himself posted that day that he had informed site administrators and “random people like the FBI.”

“We are in the news,” the hacker posted again after a Sept. 1 Statesman article. In the same message thread, he asks other users what “precautions would be wise” if he is being investigated.

MrHigh has not responded to the Statesman’s messaged request for comment. Because of his handle, the Statesman is referring to the hacker as male. His posts on an open forum represent amateurish, incautious behavior for a hacker and are seen as a sign that the culprit is not a sophisticated, high-level cyber-intruder.

Nor does his self-described effort to “warn” administrators and law enforcement of the site vulnerabilities count much in his favor or absolve him of a crime.

The FBI and Department of Homeland Security are investigating but will not comment on the status. Active Network also will not comment. The sites remain down while the various parties assess, test and harden site security. Fish & Game says Active Network is contacting affected users. The department’s earlier announcement about the breach is here, which including measures to take for users concerned that their data might be be exposed.

Idaho hunting and fishing licenses are still available in person at Fish and Game offices and from outside vendors. Only online and telephone licensing remains inaccessible, representing about 20 percent of all licenses issued.

Bill Dentzer: 208-377-6438, @IDSBillD

Federal cyber crime law

The federal Computer Fraud and Abuse Act identifies seven types of criminal activity involving computer systems:

▪  Obtaining and transmitting classified government information.

▪  Stealing financial data.

▪  Electronically trespassing in or accessing any “protected computer.”

▪  Computer fraud.

▪  Obtaining and selling passwords.

▪  Spreading malicious code (malware).

▪  Computer extortion.

The law also criminalizes attempts to commit these crimes.