Texas Lottery suffers computer security breach

Nov 3, 2008, 6:00 pm (10 comments)

Texas Lottery

Sensitive personal data on 89,000 players copied by former employee

The Texas Lottery Commission is alerting tens of thousands of lottery winners that they're on a not-so-lucky list.

More than 89,000 lottery winners are being notified that sensitive information about them including their names, Social Security numbers, addresses and prize amounts were taken from the agency without permission by a former employee.

The 39-year-old computer analyst, who left the state commission last year after eight years on the job, apparently copied onto computer disks sensitive information on thousands of lottery commission employees, retailers and vendors, as well.

The employee, who told investigators he eventually copied the data onto his work computer at the Texas Comptroller's Office, has not been charged. The case is being investigated by the Travis County District Attorney's office.

Investigators with the Texas Comptroller's Office said they have no evidence the information was used to commit fraud.

Still, the Lottery Commission is advising those they contact to place a fraud alert on their credit files.

Agency spokesman Bobby Heith said that while officials were looking at measures to prevent similar acts from occurring, no new security procedures had yet been adopted.

In August, investigators with the Comptroller's Office were asked to examine the computer files of the former lottery employee, who was working for the comptroller.

They discovered sensitive data on 27,000 individuals, the majority of them winners. Subsequent searches turned up data on 78,000 additional individuals, including 62,000 winners.

The agency notified people in the first group last month and began sending out letters to the 78,000 people this past week.

Several days after he was fired, the employee told investigators that prior to leaving the lottery commission, "I indiscriminantly copied all the files from the My DOC folder to a CD/DVD which I carried (to subsequent jobs)," according to a search warrant.

The employee added he wanted the information "for possible future reference as a programmer at other state agencies."

Houston Chronicle

Comments

MaddMike51

Maybe he hasn't committed fraud with the information that he stole,but he still stole the information.It wasn't his to take,that makes him a thief and he should be charged with theft and sent to prison.The only "state agency" he should be allowed to work for in the future is the state prison system....on the other side of the bars

ThatScaryChick's avatarThatScaryChick

Quote: Originally posted by MaddMike51 on Nov 3, 2008

Maybe he hasn't committed fraud with the information that he stole,but he still stole the information.It wasn't his to take,that makes him a thief and he should be charged with theft and sent to prison.The only "state agency" he should be allowed to work for in the future is the state prison system....on the other side of the bars

I agree. There was no reason whatsoever, for this guy to copy confidential information onto disks after he was fired. No reason. He claims he wanted the information "for possible future reference as a programmer at other state agencies." Sorry, but bullcrap. That personal information was not given to him to use and I am sure he was going to use it for criminal acts. I hope they throw the book at this guy.

diamondpalace's avatardiamondpalace

Maybe he wanted to send out a farewell card to the people after leaving the job? ;)

L J1's avatarL J1

Wow! A very shocking story. Hope all those people don't have to pay for his mistake.

spy153's avatarspy153

Let me first say, I am not advocating his behavior., nor do I think his intentions were on the up and up.  However, there is another possible reason he took the information.  It may be the only proof he has to show for something he "discovered" about the lottery.  Just a thought.

LottoL's avatarLottoL

                             I Agree!

State databases are not very secure!

Too many people (State personnel, Vendor personnel, Contractors, etc.)
have confidential access to alot of data.

Not to mention all those companies putting together their own databases
using public information.  Public or Private, there are alot of people who
have access to personal and private information.

Drivedabizness

The info on winners themselves, etc., did not come from the gaming system but from internal lottery accounting systems.

 

Clearly, those internal systems were not as secure as they needed to be.

 

I'm disappointed with the Lotetry response. Clearly som eimprovements need to be made - if there were procedures in place to prevent this their employee was able to get around them. Either way, they need to make changes.

 

This sounds like a helluva lot more than "sample work product" to show a perspective employer to me.

time*treat's avatartime*treat

Another fine example of why these databases shouldn't exist in the first place.

Why would the lottery keep data on past winners for years? Even for tax purposes that info should not exist after a year or two.

Two wrongs make a catastrophe.

Omniscient's avatarOmniscient

This guy needs to go to jail , plain and simple. I'm under the suspiscion that he's holding this information for blackmail purposes or wants some kind of compensation for 'sensitive' information against the lottery for firing him. When people get fired or know they are going to get the axe, they may feel that after years of loyal service, they are being betrayed and might become spiteful. He must have known in advance that he was going to be 'let go' from his job prior and began that copying of past winners and who knows what else info he might have gotten his hands on. In normal circumstances in a job when you have access to computer databases and sensitive information like in this situation, when you get fired or laid off , the IT/IS department will block access to the network on that users account in a fast manner. Some people like this guy can become very vindictive. Just my opinion on this matter.

mjwinsmith's avatarmjwinsmith

Quote: Originally posted by time*treat on Nov 6, 2008

Another fine example of why these databases shouldn't exist in the first place.

Why would the lottery keep data on past winners for years? Even for tax purposes that info should not exist after a year or two.

Two wrongs make a catastrophe.

You hit the nail right on the head.

End of comments
Subscribe to this news story