“Initial assessments indicate personal information exposed by the vendor for Washington residents includes names, addresses, driver’s license numbers, dates of birth and the last four digits of Social Security numbers,” Washington officials said in a statement.

Share story

BOISE, Idaho — A breach in a vendor’s system that processes online sales of hunting and fishing licenses in Idaho, Oregon and Washington state exposed several million records containing buyers’ personal information, officials said Friday.

The U.S. Department of Homeland Security and FBI are investigating the hack into Dallas-based Active Network, the Washington State Office of Cyber Security said in a statement. Washington halted all sales this week, allowing anglers to fish license-free, while Idaho and Oregon have stopped only online sales.

“Initial assessments indicate personal information exposed by the vendor for Washington residents includes names, addresses, driver’s license numbers, dates of birth and the last four digits of Social Security numbers,” Washington officials said in a statement.

Washington state opted to halt all sales, including at businesses. Through Tuesday, it will not require anglers to have a fishing license to fish or gather shellfish.

“We are as frustrated as our customers over the licensing system being shut down, but we want to make sure anglers can still hit the waters over the next several days,” Jim Unsworth, director of the state Department of Fish and Wildlife, said in a statement.

Active Network, whose event- and activity-management software is used by tens of thousands of event organizers nationwide, including marathons and other races, said the potential threat was isolated to fishing- and hunting-licensing systems in the three states.

The company “became aware that we were the victim of an unauthorized and unlawful attempt to access” those systems on Monday, a statement said.

It didn’t say whether the hacking attempt was successful but that the company released a software update to address the threat within 15 hours and hired a cybersecurity firm to conduct a review.

Active Network said it didn’t receive reports or find evidence that personal information was compromised.

“We are committed to working with our state customers and law enforcement to assist in their own investigations of this matter,” the company said.

In Idaho and Oregon, state offices and certain businesses will keep selling hunting and fishing licenses because they use a different system. About 80 percent of sales occur in person at those sites, officials said.

“Until we understand the full scope of this, we’re going to keep the online component of this down and will do so until we have some clear answers,” Idaho Fish and Game spokesman Mike Keckler said.

While Washington officials said personal information was exposed, initial investigations in Oregon have not found identifiable information was revealed, said Rick Hargrave, spokesman for the Oregon Department of Fish and Wildlife.

Still, “the prudent thing to do was to shut down systems to make sure there is no vulnerability,” he said.

California also uses Active Network to sell hunting and fishing licenses but determined it is not affected after talking with the company, said Clark Blanchard, spokesman for California Department of Fish and Wildlife.

“We use the same vendor, but our system employs completely different technology and uses more stringent security,” he said.