From the notice on their web site:
The Vermont Department of Fish and Wildlife (FWD) is posting this notice because of a suspected security breach related to the on-line purchase of licenses and tags from the Department. The Department values the relationship we have with our customers and understands the importance of protecting customer information. Although we have no conclusive evidence of a misuse of customer information, we are notifying the public about reports of suspected unauthorized access to limited customer information related to the purchases of FWD licenses through the FWD website.
Who is potentially impacted?
Anyone who purchased a FWD license through the FWD website from April 2015 through January 2016.
The server housing the FWD online licensing system experienced unauthorized intrusions in 2015 and in January 2016.
What type of information is at issue?
It is possible that customer names, addresses, or other non-credit card related information was accessed. In addition, seven (7) purchases included full or partial credit card numbers entered by users in the wrong data fields. These entries did not include expiration dates or other credit card data. The seven users who made these purchases have been notified of the potential for exposure of their credit card number.
What should I do?
If you purchased a FWD license between April 1, 2015 and January 31, 2016, you can take some precautions. The Attorney General’s Office encourages consumers to monitor financial account statements for any sign of suspicious activity. You may wish to obtain a free credit report. More information about how best to protect yourself is below.
What has FWD done to protect my information?
The FWD requested an investigation into the possibility of a security breach. The State of Vermont Department of Information and Innovation (DII) conducted an independent review, two independent reviews were conducted by NuHarbor Security and Security Metrics, and FWD has worked with DII and the server vendor to ensure that customer information is secure. The server vendor monitored, found and addressed a server vulnerability that occurred in December 2015 and January 2016.
Who can I contact for more information?
More information about this possible incident and FWD’s efforts to determine what may have happened is below.
Over the last several months, FWD has sought and received three reviews of technology systems related to the purchase of FWD licenses through FWD’s website. This technology is hosted and maintained by a FWD vendor. Last fall, in response to concerns of certain financial institutions, FWD sought and received two reviews of these licensing systems, both of which concluded that no security breach involving FWD licensing information had occurred. Specifically, these reviews concluded that credit or debit card information was not accessible, that appropriate security protocols were in place and that the vendor had immediately reported potential security breaches and had taken appropriate action to protect customer information.
In December, 2015, in response to information received from a financial institution, the State retained a contractor to perform a forensic analysis of the vendor’s web server disk image, web server logs, administrative portal logs and file and system metadata. Some logs were not available. However, based on the logs and other evidence that were available, the contractor reported that an intruder had gained access to the vendor’s website in December 2015 and January 2016. The contractor’s report, received on May 23, 2016, indicated that the intruder could have viewed seven credit card numbers. This information could have been accessed where customers entered credit card or debit card numbers in the wrong data entry field. Credit card information such as expiration date and CVV code were not available for these seven license purchases. All seven of the affected individuals have been notified of their data entry error and potential exposure of their credit card number that resulted.
As a result of the unauthorized server accesses, in an abundance of caution, FWD wishes to notify all purchasers of licenses between April 2015 and January 2016 to be alert and to remain vigilant for any signs of suspicious activity in your financial statements.
Below is a checklist of suggestions of how to best protect yourself against identity theft:
1. Review your bank, credit card and debit card account statements over the next twelve to twenty-four months and immediately report any suspicious activity to your bank or credit union.
2. Monitor your credit reports with the major credit reporting agencies.