Vermonters’ personal information may have been stolen from the state’s Fish and Wildlife online license purchasing system in two separate attacks in December and January, according to an independent forensic computer auditor’s report.
The hackers don’t appear to have stolen usable card numbers, but they’ve probably taken an unspecified number of Vermonters’ names, addresses or other information, officials said.
The attacks are believed to have been against the servers of a vendor, Jericho, Vt.-based Earthlogic.
Fish and Wildlife Commissioner Louis Porter said he believes the breach isn’t related to reports last fall from Vermont credit unions that suspected their customers’ information was taken from his department’s servers.
“We believe there was unauthorized access to the system, but we don’t know (that there was) an actual breach of credit card information,” Porter said. “We think it’s quite possible that names, addresses or other information might have been (stolen).”
The compromised servers contain records from roughly 1.6 million Fish and Wildlife transactions since 2013, he said.
At least seven people are thought to have mistakenly entered bank card numbers into Fish and Wildlife’s online license system’s “name” field, and might thereby have allowed infiltrators to see those numbers, officials said. But without other information, even those numbers couldn’t be used fraudulently, they said.
Those people have been notified and given advice on deterring identity theft.
Vermont’s top data security official said it’s not yet clear from where the intrusion originated.
The agency contracts with Earthlogic to process online fishing and hunting license purchases, said Glenn Schoonover, chief information security officer with Vermont’s Department of Information and Innovation.
Chris Kesler, Earthlogic founder and president, said he’s reasonably certain where the attack came from but declined to say. He did say the attack originated outside the United States, which he said is typical.
Such attacks typically employ what are known as proxy internet addresses to misdirect investigators, in which case it’s “a waste of time to follow the rabbit down the hole,” he said.
But in this case Kesler believes the address to which the intrusion was traced is the real one. Kesler said he has alerted the internet service provider for that address.
The attackers gained access in December and January to the servers using a password, Kesler said. Using a program or algorithm, they “made millions of attempts to gain access, and finally had a successful login,” he said.
Kesler said programs he had installed on the servers detected the intrusions.
“They were only on our servers for a couple minutes,” he said. “They were obviously looking for something, and they couldn’t find it, and they moved on quickly.”
The attackers presumably sought credit card information, which the servers don’t contain, Kesler said.
Fish and Wildlife officials didn’t learn of the December and January intrusions until recently because such attempts are common, Porter said. It wasn’t until a second external security review that investigators learned of those attacks and late last month told the state, he said.
Kesler said he wasn’t terribly alarmed by the intrusion, because nothing that could have been taken would have provided information that a Google search could not.
Since the attacks, Kesler said, he has changed the password to one containing 20 characters to make it harder to crack. More importantly, he said, he’s closed all entry points to the servers other than the website itself — a step that he said renders such intrusions nearly impossible.
The intrusions in December and January were made through what Kesler described as back doors into the servers.
The servers are at a secured facility in Vermont, but Schoonover said security concerns prevented him from saying more specifically where.
Earthlogic encrypts card numbers as they’re entered into the Fish and Wildlife Department’s online form and transmits the encrypted information to credit card processing companies, Schoonover said. Therefore, there’s no possibility the intruders could have secured enough information to put it to use, he said.
“There’s no information on the system a person could use to make a fraudulent purchase,” Schoonover said.
Even in the seven instances over the past five years where Vermonters mistakenly entered their card number in the wrong online field, the name associated with that number wasn’t stored in Earthlogic’s database, Schoonover said.
To make purchases, criminals need not just a card number but also the name of the card’s owner and the expiration date and security code on the back, Schoonover said. In no instance could all those pieces of information for any given person have been taken from a server associated with Fish and Wildlife’s online license purchasing system, he said.
Since the intrusions, Earthlogic has taken steps to prevent users from inadvertently entering numeric information in an online field meant for text, Schoonover said. That is considered an industry best practice, he said.
The suspected data breach came to light after several internal and external investigations prompted by three Vermont credit unions’ suspicions that apparently fraudulent activity on their customers’ cards could have been allowed by a breach of servers connected with Fish and Wildlife’s online license purchasing system, Schoonover said.
The credit unions last fall told state officials that bank algorithms pointed to Fish and Wildlife’s online license system as a potential source of illegally acquired card numbers.
Schoonover and Porter at that time said they had no evidence those card numbers had been acquired through the agency’s computers or through any that contain information the agency stores. Both men reaffirmed that position last week.
Schoonover, Porter and Kesler all said they thought the suspected intrusions in December and January had no connection to the incidents last fall.
After the credit unions’ alerts last fall, Schoonover did two internal reviews of the agency’s computers and hired contractors to perform an independent review, Porter said, but found nothing indicating they’d been breached.
A second independent review — known in industry parlance as a forensic audit — was then carried out by Utah-based SecurityMetrics, Porter said. Early drafts of a report SecurityMetrics is still writing on the audit stated that Earthlogic’s servers connected to Fish and Wildlife’s online license purchasing system may have been compromised, he said.
State officials learned of this late last month when they saw the draft report, he said, and posted warnings last week on the Fish and Wildlife website alerting users. State law requires such a notice be posted within 30 days from the time officials learn of a breach of state computers.
SecurityMetrics is expected to deliver a final report within 30 days, Schoonover said.
Both Schoonover and Porter said they think the data breach that the credit unions suspected last fall happened through malicious software victims unknowingly installed on their home computers.
The Fish and Wildlife Department still holds a contract with Earthlogic, and both Porter and Schoonover said they’d willingly sign another contract with the company if the opportunity arose.
“There’s nothing in the way they handled this that would preclude them from getting new state business,” Schoonover said. Data breaches do happen even to vigilant companies, and Earthlogic took appropriate steps to prevent infiltrators from getting enough information to make fraudulent purchases, he said.
No other state agencies contract with Earthlogic, Schoonover said, and none appears to have suffered similar data breaches.