Vendor to offer protection to those affected by fishing and hunting licenses hack
Well, from reading news coverage, I knew this was coming, but here’s the official announcement: ACTIVEOutdoors, the vendor involved in the hack of several states’ hunting and fishing license sites, will be offering two years of credit monitoring services to people in three states. Here is their announcement:
ACTIVEOutdoors announced today that on August 22, 2016, it became aware that it was the victim of an unauthorized and unlawful access to certain information in the state online hunting and fishing applications that ACTIVEOutdoors operates on behalf of the states of Idaho, Oregon, and Washington. The ACTIVEOutdoors team immediately began an investigation in coordination with the impacted states, and within a few hours had released an update to those applications to address the reported threat.
As an additional protective measure, ACTIVEOutdoors engaged a top-tier cybersecurity firm to conduct an independent review. That review confirmed that the incident was successfully addressed and was isolated to those three states with respect to hunting and fishing accounts that were created prior to July 2006 for Washington customers, and July 2007 for Idaho and Oregon customers. Importantly, no credit card or financial information was involved, and ACTIVEOutdoors is not aware of any fraud associated with this incident. No other system or property of ACTIVEOutdoors or its related businesses were impacted by this incident.
For persons who applied for or purchased hunting and fishing licenses in the impacted states during this timeframe, it has been determined that name, address, date of birth, and driver’s license number were potentially accessed for Oregon and Washington customers. Additionally, full Social Security numbers may have been accessed for customers who applied for or purchased Idaho hunting and fishing licenses prior to July 2007.
ACTIVEOutdoors is committed to working with the state agencies and law enforcement in their ongoing investigation of the incident.
Letters to those potentially impacted by the incident will be mailed beginning on Monday September 19, 2016. These letters include an explanation of the incident, an offer of two years of free identity protection and restoration services, and information about additional ways impacted individuals can protect themselves.
Consumers should note that under no circumstances will ACTIVEOutdoors or the three impacted states call you or send you a message and ask for your personal information in connection with this incident. You should not provide personal information to anyone who calls you or sends you a message about this incident.
To Learn More
ACTIVEOutdoors has established a website, which will be available starting on Monday September 19, 2016 at 9am CDT, where people can check to see whether their information was potentially impacted, receive instructions on how to access identity protection and restoration services, and receive tips to protect against identity theft. The website address is https://activeoutdoors.allclearid.com.
Regret - September 18, 2016
Would be nice if breaches like this boosted grassroots support for an alternative solution to SSNs for identification purposes. At this point, may be easier to come up with a more secure system for Social Security and tax purposes (perhaps including 2FA) and leave the old SSNs out there as an non-secure national ID number.
Regret - September 18, 2016
Another thought: the dates referenced in the announcement quoted above are open ended, “…accounts that were created prior to July 2006 for Washington customers, and July 2007 for Idaho and Oregon customers. ” Seems like they should include a start date too, otherwise, they are suggesting that decades of licensees are affected. I’ll go on the site tomorrow to see if my now-deceased father is on their list (Washington State resident); I don’t know when he last got a fishing license, but it will be interesting to see how far back their data goes.