In the last 18 months at least four western state game & fish licensing or park systems have apparently been hacked, along with Kentucky and another state the hacker claimed but didn’t identify. No evidence has surfaced of personal information taken or tags illicitly obtained. So, no worries, right? How secure are you that your identity and years of saved points are safe?
If you live in Idaho, Oregon or Washington, you’ll remember the September 2016 hacking of their systems. A hacker going by “Mr. High” posted that he had gained access to personal information in five Game and Fish sites or their licensing vendor, which in ID, OR and WA was Active Network.
Idaho and Washington suspended all license sales while they investigated, and Oregon suspended online sales. It turned out that the weakness only allowed access to information for those who had first started applying before 2006 or 2007. Active Network offered free identity repair services and according to the Idaho Statesman, claimed that it had patched the weakness “within 15 hours” and hired a “top-tier cybersecurity firm to conduct a review.”
That hack was disclosed by the hacker. But, what has been undisclosed or undiscovered? After all, there were 100,000 incidents hacks in 2015.
What if some tags are not going to the fortunate but to the nefarious? Would someone pay a full-time basement-dweller to hack their way to a bighorn sheep license without the auction price tag or many years of waiting?
Do wildlife agencies manage and pay for their own cybersecurity out of austere budgets? Can they detect every instance of unauthorized access? Are they able to go back and examine each bit of the draw, discover if any assigned random numbers were changed or check every applicant’s history to see if points jumped? Confirm every residency claim? If so, are those part of the process or just done for cause?
I just read a frightening Oregon Secretary of State audit report summary on their cybersecurity. They surveyed 13 state agencies, including ODFW. They found that three agencies “did not have sufficient network monitoring tools in place to identify potentially malicious traffic,” and one “had an older wireless network that allowed access to internal resources without appropriate identification and authentication.”
The report also found that “user management issues are pervasive,” “security patches are not always applied…Security staffing was generally insufficient, and critical security functions were not always performed.” The final scorecard – “more than half of the agencies had security weaknesses in six of the seven fundamental security controls reviewed.” Oregon is now working on centralizing data security.
I have heard or read several reports lately of clandestine breaching of Fish & Game websites and boasts of what was done. Whether they are true, I can’t say, though charges have been filed in one case.
On the other side, several states have new, probably more secure systems. I was very encouraged with CPW’s cybersecurity after discussing process and monitoring with people in Denver, including the draw coordinator. Still, like rust, hackers never sleep.
We’ve seen some high-profile big game poaching cases lately. So, what do you think? How likely is electronic poaching or ID theft?