The Illinois State Police Firearm Services Bureau implements the Land of Lincoln’s gun control licensing schemes for the state’s residents. Their website, ispfsb.com, was hacked in the last week of July. An initially unspecified amount of gun owner data was compromised.
The Illinois State Police completely shut down the website over the weekend of July 31-August 1 for an upgrade to remedy the security vulnerabilities that the hackers exploited.
The now-crippled website returned on or about August 2nd, but it wouldn’t accept new applications for residents seeking to exercise their right to own or even handle firearms or ammunition. What’s more, it didn’t seem to work for existing gun owners to make changes either. And now, as of Sunday, August 8th, it’s not allowing this existing user access either.
The story broke Wednesday afternoon, as the Illinois State Police have reportedly told some gun dealers that hackers breached their security protocols. The gun dealers sharing this information with me wished to remain anonymous out of fear of retribution from the Governor’s office. Yes, while the people at the ISP’s Firearms Services Bureau are legitimately helpful and courteous, at least one dealer expressed concerns that they governor’s office could change that for his business and potentially others as well.
What’s more, according to those inside the ISP this week, an unspecified amount of gun owners’ personal data was reportedly downloaded by the hackers.
Now, while the website is back online, it has only limited functionality. Among the security upgrades is a two-form authentication where the website will send out a text message to the user’s smartphone to confirm their identity.
However, that’s problematic for older folks who don’t have smartphones. No worries though…dealers have found that they can use the same smartphone to process multiple applicants who don’t have those magical glowing boxes in their pockets. That right there is a huge (HUGE) security flaw.
As for new applicants, the Firearm Services Bureau website won’t accept their applications for FOID cards, which are required in Illinois to handle, use, or purchase firearms or ammunition. So because the state of Illinois failed to ensure their computer systems are safe and secure, the ability of residents without FOID cards to exercise their Second Amendment rights has effectively been suspended.
Even for existing FOID cardholders, such as myself, the website isn’t allowing any updates of personal information. My effort to update a now-defunct email address was rejected Thursday morning. And as of this Sunday afternoon, I’m unable to even access my account at all, suggesting the best and the brightest in Illinois government have been unable to remedy this issue.
This isn’t the state’s first run-in with hackers. In late April, hackers tied up the Illinois Attorney General’s office mail and document servers with ransomware. The AG’s office chose not to pay the ransom and it’s been nothing but a hot mess there since.
Many staff members needed to get new email addresses. Their work documents and old emails remain encrypted and unavailable to this day. It’s cost the Illinois Attorney General Kwame Raoul and his merry band of lawyers and staff millions because of a failure of their IT staff there to maintain proper backups and security.
The Illinois State Police’s Public Information Officer hasn’t returned our request for comment or details of this latest hack of state computers. We will update this story if and when they release any information to us.
The Illinois State Police Chief Public Information Officer sent this to me Thursday evening. In it, they claim a very limited breach of data and that they have have notified the relevant individuals. Take it for what it’s worth. The PIO claims that the site is up and accepting applications, when it clearly wasn’t according to our dealer friends (and my own personal inability to access my data, much less make changes.)
Illinois State Police Strengthen FOID Cybersecurity Measures in Response to Identify Theft Attempts
The Illinois State Police have added additional online security requirements to the FOID online application system to deter and disrupt cyber security threats and identify theft. Specifically, the ISP is restricting the use and access of personal information that FOID card applicants submit in their online FOID account that could match Illinois resident personal identification information unlawfully obtained from any number of previous cyber breaches. This personal information did not come from ISP systems and servers.
Thousands of cyber breaches, unrelated to ISP systems and servers, have occurred nationally and globally which did or could impact Illinois residents. Government sites are routinely the target of identity theft and other cyber threats. The FOID website software vendor, working with ISP, recently determined unauthorized persons were attempting to use this type of previously unlawfully obtained personal information to match with and access existing FOID online account information to add further detail to their existing stolen data.
An investigation by the software vendor with ISP determined no FOID card has been fraudulently issued, nor has any unauthorized user attempted to complete the process to obtain a FOID card, nor was any ISP database breached. There is no known ransomware attack or cyberattack on ISP systems at this time.
The software vendor determined that using previously stolen personal data to access existing accounts, unauthorized users may or may not have accessed additional “auto populated” personal identifiers unique to that account and card such as the last four of a social security number. 2067 FOID card holders, less than .0008 % of total card holders, were possibly impacted by these attempts. In accordance with state law and out of an abundance of caution, all affected persons were sent notice and issued a new card at no cost.
Just as when credit card information is unlawfully used, the potential unauthorized access was identified, the current card cancelled and a new one immediately issued to the affected FOID card owner.
Out of necessity, some of the online account parameters put in place for ease of use and convenience years ago have been appropriately modified and tightened to prevent unauthorized users from attempting to further expand the extent of the identify fraud.
We appreciate the patience of the public, but these additional security measures are necessary to protect personal data as a wave of cyber security threats reverberate around the world. No online system is completely impenetrable, and upgrades to all states systems must and will continue, but we remain vigilant. ISP treats information and personal data security very seriously. While the ISP does not yet know the source of the personal information used in the unauthorized access of accounts, and while there are countless unlawful uses of personal information acquired illegally online around the world every day, the ISP continues to investigate with our federal partners and to monitor the FOID system to ensure the highest level of security for personal information. ISP values the protection of your personal information and continues to take all reasonable efforts to protect your confidentiality and security.
The site is currently up and accepting applications.