[S]tate officials believe what looked like a data breach at the Department of Fish and Wildlife may have resulted instead from malicious software on affected credit card users’ computers.
The state’s top computer security officer said his office was alerted to suspicious activity in October by Credit Union of Vermont representatives following fraudulent charges on 75 to 100 account holders’ credit cards.
The credit union’s agents suspected their account holders’ information may have been compromised through transactions with the Department of Fish and Wildlife.
“We went through our system with our own, internal look, and hired an outside firm to look, and could find no evidence of a data breach or vulnerability,” said Department of Fish and Wildlife Commissioner Louis Porter.
Had a data breach occurred, the department would have needed to post a notification, Porter said, “but we don’t have evidence of that. We don’t have evidence it was a breach of any state system.”
Credit Union of Vermont CEO Brian Fogg asked state officials around Oct. 20 to investigate the possibility that his account holders’ credit card information had been stolen from Fish and Wildlife servers, said Glenn Schoonover, Vermont’s chief information security officer.
The credit union found that all the affected card holders had made online purchases from the Department of Fish and Wildlife, Schoonover said.
Schoonover said he and other state information security officials could find no flaws in the Department’s system that could have led to such a breach.
As an extra measure of caution, Schoonover said, he recommended the state hire an outside firm to conduct their own investigation of the system.
“They did an end-to-end security assessment … and didn’t find anything,” Schoonover said.
The assessment included vulnerability scanning, which involves a search for potentially-exploitable weaknesses, as well as penetration testing, which consists of attempting to hack into the system, he said.
One reason he’s confident the theft didn’t occur from Fish and Wildlife servers, Schoonover said, has to do with the fact that the agency doesn’t store credit card information.
When licenses or other department products are purchased online, buyers’ credit card information is encrypted and sent to a third-party credit card payment processor, he said.
That processing company, called Authorized.net, found no evidence that it was from their servers that Fish and Wildlife customers information had been stolen, Schoonover said.
No other banking organizations have reported credit card thefts appearing to arise from Fish and Wildlife transactions, either, Schoonover said.
“If it was a wider-spread problem with Fish and Wildlife, it seems like we would have gotten reports from other” banking agencies, he said.
Credit Union of Vermont agents suspected that a breach had occurred on Fish and Wildlife servers because the agency’s website was one location where all affected cardholders had made purchases, Schoonover said. But the credit union declined to tell him whether there were any other locations where all those affected had also made purchases, he said.
Schoonover said credit union representatives have not reported anything else to him, so he’s not aware of whether the problem is ongoing.
No other state agencies are suspected to have experienced any such compromised financial activity, and a security assessment of other agencies’ systems conducted alongside the Fish and Wildlife security assessment found no vulnerabilities, Schoonover said.
Schoonover said it’s possible that cardholders’ information was taken from their own computers.
Recent reports from Microsoft and McAfee stated that one out of every five home computers in the country use either outdated antivirus software or none at all, Schoonover said.
Having started on the job only days before the credit union contacted his office, Schoonover said, he was pleased with what he found in the systems he oversees.
“They’re doing the right things,” he said.
Fogg did not respond to a request for comment on this story.
