Potential security breach may have affected online customers' credit card information.

The Vermont Department of Fish and Wildlife (FWD) is posting this notice because of a suspected security breach related to the on-line purchase of licenses and tags from the Department. The Department values the relationship we have with our customers and understands the importance of protecting customer information. Although we have no conclusive evidence of a misuse of customer information, we are notifying the public about reports of suspected unauthorized access to limited customer information related to the purchases of FWD licenses through the FWD website.

Who is potentially impacted?

Anyone who purchased a FWD license through the FWD website from April 2015 through January 2016.

What happened?

The server housing the FWD online licensing system experienced unauthorized intrusions in 2015 and in January 2016.

What type of information is at issue?

It is possible that customer names, addresses, or other non-credit card related information was accessed. In addition, seven (7) purchases included full or partial credit card numbers entered by users in the wrong data fields. These entries did not include expiration dates or other credit card data. The seven users who made these purchases have been notified of the potential for exposure of their credit card number.

What should I do?

If you purchased a FWD license between April 1, 2015 and January 31, 2016, you can take some precautions. The Attorney General's Office encourages consumers to monitor financial account statements for any sign of suspicious activity. You may wish to obtain a free credit report. More information about how best to protect yourself is below.

What has FWD done to protect my information?

The FWD requested an investigation into the possibility of a security breach. The State of Vermont Department of Information and Innovation (DII) conducted an independent review, two independent reviews were conducted by NuHarbor Security and Security Metrics, and FWD has worked with DII and the server vendor to ensure that customer information is secure. The server vendor monitored, found and addressed a server vulnerability that occurred in December 2015 and January 2016.

Who can I contact for more information?

Louis Porter at 802-828-1454 or Catherine Gjessing at 802-595-3331.

More information about this possible incident and FWD's efforts to determine what may have happened is below.

Over the last several months, FWD has sought and received three reviews of technology systems related to the purchase of FWD licenses through FWD's website. This technology is hosted and maintained by a FWD vendor. Last fall, in response to concerns of certain financial institutions, FWD sought and received two reviews of these licensing systems, both of which concluded that no security breach involving FWD licensing information had occurred. Specifically, these reviews concluded that credit or debit card information was not accessible, that appropriate security protocols were in place and that the vendor had immediately reported potential security breaches and had taken appropriate action to protect customer information.

In December, 2015, in response to information received from a financial institution, the State retained a contractor to perform a forensic analysis of the vendor’s web server disk image, web server logs, administrative portal logs and file and system metadata. Some logs were not available. However, based on the logs and other evidence that were available, the contractor reported that an intruder had gained access to the vendor's website in December 2015 and January 2016. The contractor's report, received on May 23, 2016, indicated that the intruder could have viewed seven credit card numbers. This information could have been accessed where customers entered credit card or debit card numbers in the wrong data entry field. Credit card information such as expiration date and CVV code were not available for these seven license purchases. All seven of the affected individuals have been notified of their data entry error and potential exposure of their credit card number that resulted.

As a result of the unauthorized server accesses, in an abundance of caution, FWD wishes to notify all purchasers of licenses between April 2015 and January 2016 to be alert and to remain vigilant for any signs of suspicious activity in your financial statements.

Below is a checklist of suggestions of how to best protect yourself against identity theft:

1. Review your bank, credit card and debit card account statements over the next twelve to twenty-four months and immediately report any suspicious activity to your bank or credit union.

2. Monitor your credit reports with the major credit reporting agencies.

Equifax Experian Transunion

1‐800‐685‐1111
P.O. Box 740241
Atlanta, GA 30374‐0241
www.equifax.com

1‐888‐397‐3742
P.O. Box 2104
Allen, TX 75013
www.experian.com                          

1‐800‐916‐8800
P.O. Box 2000
Chester, PA 19022
www.transunion.com

Under Vermont law, you are entitled to a free copy of your credit report from those agencies every twelve months. Call the credit reporting agency at the telephone number on the report if you find:

  • accounts you did not open,
  • inquiries from creditors that you did not initiate, or
  • inaccurate personal information, such as home address and Social Security number.   

3. If you do find suspicious activity on your credit reports or other account statements, call your local police or sheriff's office and file a report of identity theft. Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records, and also to access some services that are free to identity theft victims.

4. If you find suspicious activity on your credit reports or on your other account statements, consider placing a fraud alert on your credit files so creditors will contact you before opening new accounts. Call any one of the three credit reporting agencies at the number below to place fraud alerts with all of the agencies.

5. You may also get information about security freezes by contacting the credit bureaus at the following addresses:

If you do not have Internet access but would like to learn more about how to place a security freeze on your credit report, contact the Vermont Attorney General’s Office at 802-656-3183 (800-649-2424 toll free in Vermont only).

6. Even if you do not find suspicious activity on your credit report or your other account statements, it is important that you check your credit report for the next two years. Just call one of the numbers in paragraph 2 above to order your reports or to keep a fraud alert in place.

Helpful information about fighting identity theft, placing a security freeze, and obtaining a free copy of your credit report is available on the Vermont Attorney General’s website.

Another helpful source is the Federal Trade Commission website.

Again, FWD takes the protection of customer information very seriously and is committed to providing convenient and secure online services to our customers. We regret any inconvenience this may have caused and we will provide further notice of any additional information that may be of assistance.