MEDFORD, Ore. — A computer hacker calling himself “Mr. High” claims he stole and may sell names and other personal identification from nearly 1.2 million people who bought Oregon hunting and fishing licenses through a private vendor.
While Mr. High did not acquire Social Security numbers of Oregon license holders, he claims to have names, birth dates, Social Security numbers and other personal information from nearly 800,000 similar licensees in Idaho. Federal officials say that puts them at risk of future identity theft and tax fraud if the information fell into cyber-thieves’ hands.
He also claims to have stolen identities that include partial Social Security numbers from more than 2.4 million Washington license holders and 2.1 million Kentucky license holders, all hacked through the Dallas, Texas-based vendor Active Outdoors, which each state uses to handle at least some of its online license sales.
Mr. High claims in online posts to have notified the agencies as well as the FBI of the leaks in the computer systems Tuesday so the agencies would patch the holes and render his stolen data more lucrative if sold.
“I need it fixed so the information stays private,” Mr. High wrote in an Internet chat room dedicated to “Technophiliacs and Technophiles.” “It raises its value.”
Mr. High supplied the Mail Tribune with a link to the chats involving the data breaches via an email address identical to the one used to send emails to the Oregon Department of Fish and Wildlife and other state agencies informing them of his hacking handiwork. ODFW and agencies with other states shut down their online license purchasing options after learning of the threat.
The chat room contains no statements about whether the information specifically was for sale or has been sold.
Active Outdoors is part of a parent company called Active Network, which said it released a software update to address the threat within 15 hours of being notified of the breach and hired a cybersecurity firm to conduct a review.
The chat-room revelations offer the first public evidence that information allegedly pilfered this past week through online license sales could put hundreds of thousands of hunters and anglers at risk of identity theft and tax fraud.
If his claims are true, the most damaging of information involves 788,064 Idaho licenses. Mr. High claims in the chat room that he has the names, birth dates, addresses, driver’s licenses, height, weight, hair and eye color from them, according to his chat room post. Some even have email and/or telephone numbers associated with them, he claims.
An IRS special agent Friday told the Mail Tribune that about two-thirds of identity theft cases now turn into tax-fraud cases and that thieves need only someone’s name and Social Security number to file bogus federal income-tax returns and collect refunds before the victims file their own returns.
Based on that, the allegedly stolen Oregon data contains the least amount of personal identification. Mr. High claims to have taken only names, birth dates, addresses and driver’s license numbers but not even partial Social Security numbers from 1,195,204 Oregon licensees.
The IRS has sophisticated computer filters that ferret out more than 90 percent of fraudulent returns. Those that squeak through can cause lengthy troubles and tax refund delays for victims.
As of late Friday, Oregon Department of Fish and Wildlife officials said they have found no loss of compromised information.
Mr. High claims in the chat room that he has collected more than 7 million Social Security numbers and driver’s licenses through these hacks revealed to date. He also claims to know that the FBI and the Department of Homeland Security are investigating the cyber-thefts and possibly hints that more are to come.
“I’m only reporting the sites that I’ve already worked,” he wrote in an Aug. 19 note, warning chat-room members of the pending revelations. “The rest stay open for business.”
