Illinois FOID Cards personal information May have been compromised

Illinois State Police are notifying about 2,000 Illinoisans with Firearm Owners Identification cards that their personal information may have been compromised in a hack of the agency’s Police FOID card portal.

The backlog-plagued system was hit with a cyberattack, ISP confirmed Thursday.

“Out of necessity, some of the online account parameters put in place for ease of use and convenience years ago have been appropriately modified and tightened to prevent unauthorized users from attempting to further expand the extent of the identity fraud,” the police agency reported.

State Rep. Tim Butler, R-Springfield, said the thieves were looking for additional personal information.

“They were using some data that had potentially been out there in other hacks and they were trying to gather further information on someone’s identity,” Butler told WMAY Friday. “And no false FOID cards went out, or anything like that.”

Illinois State Police officials said the information of about 2,000 FOID cardholders may have been accessed in the attempted hack. Those people will be contacted, the agency said in a news release.

Cybersecurity consultant John Bambenek said the hack raises not just concerns about cybersecurity, but also physical security.

“I’d rather there not be a database somewhere of gun owners and their addresses,” Bambenek said. “It doesn’t take that much imagination to figure out how that information can be used in ways that increase the risk to those persons.”

Bambenek said the hack is the latest in a string of attacks targeting government cyber infrastructure and officials should take steps to beef up security. But, he said it appeared the agency caught the hack early.

“It sounds like they’ve done their research, there’s specificity in the report,” Bambenek said. “They’ve taken some proactive measures.”

Illinois State Police officials said in response to the hack, they are “restricting the use and access of personal information that FOID card applicants submit in their online FOID account that could match Illinois resident personal identification information unlawfully obtained from any number of previous cyber breaches,” according to a news release.

Butler said he’d rather the FOID card be done away with altogether, calling it an impediment for people to be able to exercise their Second Amendment rights, but if it’s required, state officials must make it secure.

“I have a lot of logins where I use two-factor authentication,” Butler said. “So I’m getting text on my cell phone, or I’m getting an email directly to my email with an additional number that I have to plug in as another safety factor and think that’s where we have to go with this stuff.”

Agency officials said they continue working with other law enforcement agencies to further investigate the origins of the hack.

The hack follows other recent cyberattacks on state government agencies like the Illinois Attorney General’s office and the Illinois Department of Employment Security, something Bambenek said must be a wake-up call to all levels of government.

“Breaches happen and attacks happen, but government needs to continue to operate,” Bambenek said. “The Attorney General of the state of Illinois can’t take six months off doing the job. So, they need to have plans on how to respond and recover from these incidents in a reasonable timeframe.”