The first indication that a hacker might have accessed personal data on the online licensing website used by Idaho Fish and Game came late on Monday, Aug. 22. The vendor that runs the service patched the vulnerability the same day.
Separately, Idaho Fish and Game learned of the potential breach through the Department of Homeland Security on Tuesday. The site was promptly shuttered and the public put on notice.
By then, authorities and site operators knew that the hacker, using the handle Mr. High, had boasted of accessing personal information for as many as 6.5 million people in Idaho, Washington, Oregon and Kentucky.
Mr. High had actually announced his gambit the Friday before, Aug. 19, on a cheekily named online forum accessible from any web browser.
To date, authorities still don’t know whether the hacker actually downloaded any information. And theft, it seems, might not have been the motivation. (The Statesman is referring to the hacker as male, given the handle he used.)
Instead, the breach might have been the hacker’s call to action.
“On Monday I’m going to report five security holes,” he wrote on the forum site Friday, saying he planned to reach out then “to the administrators and to random people like the FBI.”
The licensing sites used by Washington, Oregon and Idaho are contracted to a third-party vendor. Kentucky’s system is in-house. Despite Mr. High’s reference to five security holes, the hacker has not identified a fifth system.
“I’m only reporting the sites that I’ve already worked. The rest stay open for business,” he wrote.
On Monday, Mr. High wrote again on the forum and also on AlphaBay, a marketplace site on the anonymous, encrypted part of the internet known as the dark web.
“This should make the news,” the hacker wrote. “I’ll list the exact websites once the security hole is patched and/or it makes the news.”
About 10 hours later, he named the target sites and what he had obtained: personal information for 2.4 million users in Washington, 2.1 million in Kentucky, 1.2 million in Oregon and 788,000 in Idaho. The data included names and addresses, dates of birth, driver’s license numbers, partial Social Security numbers, email addresses and phone numbers, and personal details such as height, weight and hair color. In Idaho’s case, the hacker could access full social security numbers, a function of this state law.
In his forum message, the hacker said Kentucky’s site administrator, when contacted about the vulnerability, “replied quickly” and “was thankful” for the notification. He said he also contacted “a couple hacking news sites.” At least one security blogger picked up on the hack.
The other licensing sites are managed by Dallas-based Active Network, a data analytics firm that manages cloud-based event and activity registration and payment services for clients. The company says it processes 100 million registrations and $3 billion in payments annually for 42,000 clients and 650,000 activities.
It handles Idaho’s Parks and Recreation reservation system, but that is separate from the Fish and Game licensing site and was not affected by the breach.
Active Network, through a Washington, D.C.-based PR firm, has declined comment beyond an initial statement. The company said it patched the weakness “within 15 hours” and has engaged a “top-tier cybersecurity firm to conduct a review.”
The FBI and Department of Homeland Security are investigating as well.
The exploit, systems experts said, involved a weakness in the front end of the licensing sites — that is, the actual web page users visit to input information.
The weakness meant that a malicious user could gain access to data by inputting the ID assigned to a user upon registering on the site. Older user IDs were numeric only; later, users received more secure alphanumeric IDs, among other security upgrades. In the case of Idaho, only users who signed up in 2008 or earlier and received a numeric ID were at risk.
A hacker could write a fairly straightforward computer script to access individual records for thousands of users in sequence, covering his tracks by hiding his internet address and by obtaining the information gradually over time.
And the exploit might have been open to the hacker for months: Mr. High posted about accessing data as early as March.
When Fish and Game technical staff attempted the exploit based on the hacker’s information, their test “didn’t retrieve all the information that the hacker claimed to have gotten,” said Greg Zickau, Idaho’s chief technology officer. “It’s not confirmed that he was able to get some of the things that he claimed and how long it would have taken for him to get the volume of records that he claims to have had.”
If officials want to prosecute the hack as a crime, that would have to occur in the state where the data resides — in this case, Texas.
Idaho’s state systems have suffered relatively minor cybervandalism in recent years, Zickau said, including website defacements; “ransomware,” a type of malware that attempts to lock out a user until a payment is made; and denial-of-service attacks, in which websites are inundated with simultaneous page-view requests to the point where they are unable to load for legitimate users.
“We’re constantly being scanned, and relatively constantly under some level of attack with varying levels of success,” Zickau said.
The Idaho system will remain offline pending thorough third-party testing.
Identity theft: What you can do
Idaho Fish and Game says the vendor that manages its licensing website will contact users whose data might have been accessed in the recent site hack.
Concerned about identify theft? The Federal Trade Commission hosts a number of resources.
For information on prevention, visit ftc.gov/idtheft.
To report identity theft, visit identitytheft.gov.