According to a statement issued by the Florida Department of Agriculture and Consumer Services, there’s been a major data breach. The breach has compromised the records of close to 17k individuals with Florida issued concealed carry licenses, some records including social security numbers and other personal data.
For those who obtained a license after 2009 this isn’t good news, but it isn’t as bad as it could be.
Prior to 2009 Florida required applicants to enter their social security number in an online form. Thankfully someone figured out that this wasn’t a great idea and put a stop to it.
According to the official statement, only 469 licensees had their social security number stored in the compromised system. Florida is footing the bill to provide identity theft monitoring services for those individuals.
The remainder of the impacted licensees (which, according to the statement, is less than one percent of all licensees) simply had their name identified and no other identifiable information.
Or so they claim. Here’s the thing . . .
As an IT security professional, I see cases all the time where information was compromised. Usually ,the people in charge have no idea the scope of the issue. On average it takes 146 days for people to even know that they have been compromised, let alone stop the attack and fix whatever was broken.
So when a government agency says they had a data breach and “only a limited number of people were impacted” my natural assumption is that they have no idea how bad the situation really is. They’re just trying to do the bare minimum level of reporting.
For those readers who have a Florida CHL, keep an eye on your credit report. Even if you aren’t one of the 469 lucky “known” compromised individuals.
Thanks for reporting this.
This happened before, following the Florida “hanging chad” debacle multiple Florida voter registration lists were compromised and sold on the “dark web”.
“For those who have a Florida CHL, keep an eye on your credit report. Even if you aren’t one of the 469 lucky “known” compromised individuals.”
Ever if you don’t have a Florida CHL, keep an eye on your credit report.
The aggravation and misery identity theft can cause you is something you just don’t want to experience first-hand…
Pales in comparison to the OPM hack. They should have locked people up for letting that happen.
This nonsense has gone on far too long and affected far too many people.
Either everybody stops collecting and storing all this data, we all just agree that personal identity and subsequently credit no longer mean squat, or we all start taking security and encryption seriously.
Since government and corporations won’t ever give up the Big Brother crap and people are too lazy and/or stupid to take their security seriously the only practical option is to give up on the concepts of identity, credit and reputation.
I deal all the time with people who resist wading into the electronic world out of fear of unsecured data. When I tell them it doesn’t matter how much they avoid the pool everyone they deal with from their banks, financial planners, doctors, the town hall, the feds, just by walking out in public with advertisers making use of facial recognition in their kiosks and RFID data in some cards and ID’s to log your age and cater ad’s is forcing you into the pool and holding your head underwater until you stop fighting the look on their face is priceless. As if after all these decades of honky dory government is your friend melt away in an instant.
There’s no turning back and the long term outlook of this war is in the favor of the enemy/criminal since even the so-called security pro’s at the NSA, FBI and CIA are bumbling fools who don’t listen to private sector experts because of territorial dog pissing, imaginary “classified” bullshit and the myth that because they work for an alphabet agency they’re better by default when they consistently drop every damn ball thrown to them.
So, just give up already. Keep collecting all the data you want just know it’s meaningless because nobody is working to protect any of it.
This is another good reason to stop putting people on list after list after list.
Identity theft is a real hassle to resolve. Back around 2005 my Bank called me and ask if I was buying stuff in Connecticut . Nope I said so they blocked my credit card. That was the beginning of the fun.
I also supposedly opened lines of credit in Hawaii, New York, Connecticut again and purchased a vehicle in Puerto Rico . It turns out my Bank had set up online access for me to use without telling me about it and the initial password was my moms maiden name. How it came about was Choicepoint in Atlanta was compromised and a lot of information about me was released by them to thieves. I had to lock all three credit agencies and dealt with creditors attempting to recover their money. The best was the car dealer in Puerto Rico. He kept calling and demanding I pay him for the car. Sorry I told me, I’ve never been there so why would I buy a car. I asked if he could recover it and he said no, by now it was stripped of parts. I picked up my concealed after 2009 so hopefully if mine was part of the information stolen they did not get much.
Looks like another argument for constitutional carry. Over and over again the government has failed us and our founding principles. We should not need a license to carry anyhow.
Maryland Tollway/tunnel popo?
Yet another reason to NOT aquire a permit for a Constitutional RIGHT.
I won’t spill my guts, but maybe this is how the recent identity theft started. Though our info is all over the dark web for a few cents apiece. All that hacked data is available for a price.
I had been considering applying for a non-resident FL CCW.
Now … Nope.
My home, Flori-Duh, is well known for this kinda schmitte. Got my CCW long before ’09. Had LifeLock before that.
Only one problem since – and that was a few weeks ago – LifeLock, plus my bank caught it fast.
Big hint on how you can get really effed and how it got me a few weeks ago: When you get gas, pay cash. Sometimes there’s no real way to tell if some sort of ‘skimmer’ is on a pump, especially if the station is in on it.
Look at your checking account daily – the normal alerts start at $100. So the thievin’ bumscags go for $99. Then $99. Then a bit less than $99. If the location doing the deed for them is in on it, they figured out a way to process the transactions….. get this….. within 30 seconds of each other and have them go through, as long as the funds are in the account being ripped off.
I’ve set my alerts now to ‘any transaction, any account’ and upped notification from to ‘instant/push’ instead of ‘daily’…… and I still check it all once or twice per day j.i.c.
In NJ there was a gas station that always had the lowest prices around, but after a visit your credit card might be compromised. Not such a bargain. The station was definitely in on it.
I’m still blown away that people can’t legally pump their own gas in Noo Joisey.
“Big hint on how you can get really effed and how it got me a few weeks ago: When you get gas, pay cash.”
When you get *anything*, pay cash. Gas, groceries, your day-to-day stuff, pay cash. Money becomes more *real* to you when you hand it to someone else.
Jah mon. It’s all real to me though. Ain’t got enough to not notice instantly if even a few shekels are missin’.
Never ever use your debit card or bank card for purchases at a POS terminal or online or really any purchases. If you aren’t paying cash use a credit card because it isn’t directly tied to your bank account.
Don’t pretend that this is a serious problem. If it were, you’d be up in arms about your employer having your personal information on file too.
Florida Concealed Weapon or Firearms license holder here. I got it in 2014 when i moved from Texas to Fl. I was also in the OPM breach as well. My employer paid for my Lifelock subscription for 2 years and now i pay for it at a discount for both my wife and me. I track all bank transactions daily. That is all i can do.
Lifelock got sanctioned multiple times. While they may claim they have not been hacked, probably more accurate to say they claim they are not AWARE of being hacked. As IT Pro, there’s a BIG difference (like if you don’t buy giid intrusion detection equipment and staff to monitor, you will never know you were breached).
Most companies today look at security as a function of risk management… why spend $10 Million on security when they can just pay $6M in claims thru insurance. So we have self perpetuating problem, made worse by fact YOU have to prove the link between their data breach and your loss. Extremely difficult to do.
I work in the tech industry, building enterprise software. Good security is expensive. So expensive that most public entities can’t afford it on their own, given their current funding priorities and the amount of money they have available. In fact, most public entities are running on operating systems and applications that are very, very old…and thus very, very vulnerable.
To make a bad situation worse, most hacks are now so subtle that it takes an organization at least five months to realize they’ve been hacked. That’s a long time for data to be hemorrhaging out of a security leak.
The bottom line is that your personal data is likely online somewhere. And nobody can provide an iron-clad guarantee of security…not at the present time, anyway. So it’s up to each of us to individually take steps to protect ourselves: alerts on credit reports, strong passwords with frequent changes, periodically changing credit card numbers, among other things. It takes a level of individual diligence to protect ourselves in a connected world.
The really frustrating part of this particular situation is that we’re keeping a registry of people, along with their personal and sensitive information, in order for them to exercise a Constitutional right. Open carry, concealed carry, state of residence…none of that should be relevant under the 2nd Amendment. If you’re a citizen, you can bear arms…end of story. States regulating and collecting data of people who exercise that right? That’s the real tragedy here.
Fraud alerts every 90 days is apparently the best method of reducing potential for identity theft. Though a lot of banks won’t pull credit to open an account. Basically, it’s a crapshoot.
use an anonymous payed vpn ram server as perfect privacy
encrypt all devices and not used ms software and chrome shit
pay bar / cash ore bitcoin (better monero)
fight big data !
Another reason not to register anything, or have government attempt to maintain any level of privacy.
If they didn’t keep these records then they wouldn’t have had them to incompetently been breached.
Well this sucks I’ve had a concealed weapons permit for years but I just recently had to get it renewed does this mean that my information was compromised as well? Are they not counting renewals in their numbers you know how government statistics are LOL.
Thank you for posting this. I had no idea. Fack.
The state should “make whole” anyone who is harmed by the data breech.
“to pay or award damages sufficient to put the party who was damaged back into the position he/she would have been without the fault of another”