Cyber Incident Victim: Vermont Department of Fish and Wildlife
Date:
Dec 2015
Location:
United States of America
Summary
The Vermont Department of Fish and Wildlife experienced unauthorized intrusions into its online licensing system server, potentially exposing names, addresses, and other non-credit card information of customers who purchased licenses during a multi-month period. While most financial data remained secure, seven individuals who mistakenly entered partial or full credit card numbers into incorrect fields had that information exposed, though without accompanying expiration dates or CVV codes. The department conducted multiple independent security reviews and forensic analyses, confirming the breaches and collaborating with its server vendor to address vulnerabilities. All potentially affected customers were advised to monitor their financial accounts, with direct notifications sent to the seven individuals whose card data was compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Vermont Department of Fish and Wildlife (FWD) disclosed a suspected security breach involving its online licensing system in June 2016. Unauthorized intrusions occurred on the vendor-hosted server supporting FWD’s website between April 2015 and January 2016, potentially compromising data from customers who purchased licenses during this period. Initial concerns arose from reports by financial institutions, prompting FWD to commission two independent security reviews in late 2015 by NuHarbor Security and Security Metrics. These initial assessments found no evidence of a breach, concluding credit card data was inaccessible and security protocols were adequate. However, a subsequent forensic analysis initiated in December 2015—triggered by additional alerts from a financial institution—revealed unauthorized access events in December 2015 and January 2016. The investigation, completed on May 23, 2016, determined that an intruder could have viewed customer names, addresses, and other non-credit card information. Additionally, seven customers who erroneously entered full or partial credit card numbers into non-payment fields during license purchases had this data exposed, though no expiration dates or CVV codes were accessible. FWD directly notified these seven individuals about the potential compromise of their card details.
In response to the confirmed breaches, FWD collaborated with the State of Vermont Department of Information and Innovation (DII) and the server vendor to address vulnerabilities. The vendor remediated the server flaws identified during the intrusions and implemented enhanced monitoring. FWD issued a public notification advising all license purchasers between April 2015 and January 2016 to monitor financial accounts for suspicious activity, though no conclusive evidence of data misuse was found. The department provided contact information for Louis Porter and Catherine Gjessing to address public inquiries. The incident prompted three total security reviews, including the forensic examination of server disk images, logs, and metadata, though some log data was unavailable for analysis. As a precautionary measure, FWD emphasized vigilance for all affected customers while confirming that standard license transactions did not expose credit card data due to secure payment processing protocols. The vendor’s corrective actions aimed to prevent future unauthorized access to the licensing system.