More than 538,000 player names and Social Security numbers exposed

By Kate Northrop

The Ohio Lottery revealed that a cybersecurity incident on Christmas Eve 2023 resulted in over half a million players having their personal identifying information exposed, including full names and Social Security numbers.

The cybersecurity attack that was carried out against the Ohio Lottery in December 2023 impacted 538,959 lottery players, compromising full names, other personal identifiers, and Social Security numbers.

"On or about December 24, 2023, the Ohio Lottery detected unauthorized access to our internal office network as a result of a cybersecurity incident that resulted in the exposure of the data we maintain," the Ohio Lottery said in a letter to the victims. "Upon learning of this issue, we immediately took steps to secure the threat and commenced a prompt and thorough investigation. The incident did not impact the gaming network."

Upon discovering the breach, the Lottery suspended prize payouts of over a certain amount and notified law enforcement. Viewing results for some games was also affected, which made it temporarily impossible for players to check their numbers for those games.

All cashing options were finally made available on Jan. 10, over two weeks after the incident took place.

The downside, the Lottery revealed, is that an unauthorized third-party had likely gained access to sensitive customer and retailer information.

Although the Lottery nor law enforcement explicitly named any suspects, a ransomware gang called DragonForce claimed responsibility for the attack. They alleged that they had stolen data pertaining to both Lottery employees and players, including Social Security numbers, dates of birth, first and last names, addresses, and winning amounts.

"More than 3,000,000+ entries, first name, last name, mail, addresses, winning amounts! SSN + DOB records of employees and players," DragonForce claimed. "...The total weight of the leak when unpacked is about 600+ gigabytes."

The tactics employed by the group suggest that its members are experienced extortionists.

On Jan. 22, 2024, DragonForce posted another entry on their dark web leak site about failed negotiations and leaked multiple files containing player data allegedly stolen from the Lottery's internal systems.

"Long negotiations that seem to have led to nothing, about 1,500,000 records that contain (SSN, DOB) Ohio Lottery clients," the entry on Jan. 22 said. "This is about 12% of the population of the state of Ohio and these are just our conservative estimates. Especially for your convenience, we have exported records from the database into a convenient CSV format, and you also have the opportunity to download full copies of the databases."

"Ohio Lottery themselves were warned that people could suffer, which in general apparently does not bother them at all, these are the consequences of negligence," DragonForce's post eerily says.

On April 5, 2024, well over three months since the breach, the Lottery finally confirmed that they learned through an "extensive forensic investigation" and "manual document review" that "certain files containing personal information [were] subject to unauthorized access."

While the Lottery established that player data was indeed compromised, the 538,000 number they quote is way below the 3 million and 1.5 million figures claimed by DragonForce, and there is no mention of physical addresses, dates of birth, winning amounts, or whether the total number of people affected includes both players and retailers alike.

"We have no evidence that any of your information has been or will be misused as a direct result of this incident," the Lottery said in their letter to impacted individuals.

"Out of an abundance of caution," the Lottery is offering 12 months of free credit monitoring and identify theft protection services through IDX, which helps detect possible misuse of personal information and resolve identity theft. Individuals who enroll in the program will not have their credit score impacted. The Lottery also included resources in their letter that explain how to take precautionary measures to protect personal information, such as placing a Fraud Alert and/or Security Freeze on credit files, and/or obtaining a free credit report.

"Please accept our apologies that this incident occurred," the Lottery said. "We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information."