If you applied online for a fishing or hunting license in Washington state before mid-2006, you should have received a letter last fall notifying you that your personal information has been compromised.
A data breach at Texas-based ACTIVEOutdoors, a Washington Department of Fish and Wildlife vendor, exposed the birthdates, addresses, driver’s licenses, partial or full Social Security numbers and other details of at least 2.2 million Washington residents. That’s nearly one-third of the state population.
“Although we have made and continue to make significant investments in technology and security, on August 22, we became aware that we were the victim of an unauthorized and unlawful access to our online hunting and fishing licensing applications in Idaho, Oregon and Washington,” the letter stated.
The state has had a data breach law since 2005, and the Legislature amended it in 2015 to require consumer notification. The Washington State Office of the Attorney General must be notified when a breach affects more than 500 residents. Washington is one of the few states that also makes these reported breaches public online.
The data-breach law applies to any entity, regardless of where it’s based, as well as to individuals—including individuals providing a service to friends and family on the side.
A September 2016 report by the attorney general’s office said that the personal information of 450,000 Washington residents was compromised in the previous year. That was before the ActiveOUTDOORS breach was reported that same month.
Since then, more than 25 other breaches were reported to the state, including Community Health Plan of Washington, which affected 353,388 residents. Others listed recently range from Boeing and CHI Franciscan Hospice to Western Union, Michigan State University and retailer Vera Bradley.
Last year saw a record 1,093 data breaches in the United States, a 40 percent increase over 2015, according to the Identity Theft Resource Center (ITRC).
“We have our data in a lot of places,” says Thad Dickson, a Key Peninsula resident and CEO of Xpio Health, a Gig Harbor company focused on security and compliance for health care organizations. “People should be conservative about providing their Social Security numbers and personal data to a company because … companies don’t always adequately protect or invest in cyber security protections like we, as consumers, expect.”
Increasingly, the data breaches are caused by hackers. Cybercriminals are after this data because it’s valuable on the black market. The underground works very much like the enterprise economy and the criminal element typically specializes. Some sell the tools needed to perpetrate cyberattacks—even providing customer service, tutorials and toll-free support lines. Others use those tools to perpetrate attacks and then sell the data.
Buyers of that data can then use it in numerous ways, including for identity theft. Personal information is more valuable on the black market than credit card and bank numbers because it has broader use and crimes like identify theft take much longer to detect.
The potential influx of data-breach notices may leave consumers fatigued. But don’t become immune to those letters, advises Shannon Smith, the state’s senior assistant attorney general and chief of the Consumer Protection Division. They are not sent to all customers, but only “to specific individuals who may be at risk of harm” from the exposed data.
She said it’s important to pay attention not only to the notices but also to monitor your credit. If you’re a victim of identity theft, your credit report can show red flags.
Credit-reporting agencies are required to provide one free credit report per year to consumers. Smith recommends staggering them so you can keep an eye on your credit all year long. However, cybercriminals often wait for years to monetize stolen data, so your identity may not be stolen for a long time after a breach.
“Just because there’s no immediate impact, it doesn’t mean there won’t be one,” Smith says. “So be vigilant.”
More information about data breaches, along with a list of companies with breaches affecting more than 500 Washington residents, is available at www.atg.wa.gov/data-breach-notifications.
You can request your free credit report from any of the three major reporting agencies at www.annualcreditreport.com.