Trending / August 26, 2016

Gone Fishing: Contemplations on the Department of Fish and Wildlife Breach

Like really. Fishing. The Department of Fish and Wildlife for the state of Washington has temporarily suspended all sales of fishing licenses following a cybersecurity breach. It seems some cyber crooks went fishing for, found, and then stole the personal information of potentially thousands of licensed anglers.

Now, with the temporary suspension of license sales, the damage is two-fold. Not only is the stolen data vulnerable to misuse, but anyone with plans for some legal late-summer fishing might be out of luck.

Life on a Lake

I have a house on a quiet 60-acre lake about an hour’s drive from downtown Seattle. I love it. With no internal combustible engines allowed, it makes for a peaceful and quiet setting where it’s not uncommon to look out and see bald eagles soaring or diving for the lake’s stocked rainbow trout and coastal cutthroat trout, as well as resident largemouth bass. It’s simple living, away from it all . . . My own version of Thoreau’s life in the woods, where privacy and a bit of primitiveness are paramount. That’s why this particular breach caught my attention.

For those who crave privacy like myself and Thoreau—a man who lived alone and probably never thought to lock his cabin door when out wandering Walden pond—this breach feels personal. It seems we can’t even go fishing now without someone, somewhere trying to interfere.

Lake 1

Hook, Line, and Sinker

An investigation into the Fish and Wildlife data breach is underway to determine exactly what and how much information has been compromised as well as where the crooks found their “in.” Initial suspicion seems to point to a vulnerability involving outside vendor ACTIVE Network, an online registration service provider. What’s not yet clear is when license sales will resume.

Privacy of client information matters and it’s too bad that the department didn’t have the safeguards necessary to adequately protect vulnerable data. Perhaps they weren’t thinking that the information they gathered was important or valuable enough to be properly protected? Or didn’t expect a fishing and hunting database to be something that would interest a hacker? Whatever the case, the fact remains that data about people has value. It’s not the fishing licenses the hackers were interested in, but the personal data people provided to get those licenses, like home addresses and credit card numbers.

Including my data. We registered for a fishing license this season and now some crook potentially has our information. I’m not sure yet what to do to protect against potential misuse of that data, but I suppose I can take some solace in that we can still legally throw a line late season when the fish have started to become more active again with cooler temperatures.

Reeling It In

It’s yet to be seen what the Department of Fish and Wildlife will do as their investigation continues. They could take a line from, say, the OPM who:

1. Notified (eventually) all affected people
2. Committed to delivering high-quality identify protection services to the community
3. Communicated as best they could how and what happened as they discovered it.

However, in all likelihood, the data that lives in the bits and bytes on the department’s servers is still there. You see, in real life, when your fishing pole is stolen, it’s gone. You can be sure of it. On a computer, when data is taken, the data is still there—but it also left at the speed of light.

So how can the department know what data has been taken? Again, like in the physical world, they discovered someone (who shouldn’t have been) was using their computers. Unlike the physical world, the who, what, where, and why don’t necessarily correspond in the same way.

The cyber world is a tricky one, and it’s hard to say at this point whether it would be better to alarm everyone who happens to have a record now when, in fact, the department may not yet know enough about which (or what) customers’ data was taken.

Back to top