Skip links

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

More than half a million gamblers with a penchant for powerballs will be receiving some fairly unwelcome news very soon, if not already, as cybercriminals have made off with their personal data.

That’s according to Ohio Lottery, which has this week finally revealed the scale of its Christmas Eve security breach in a regulatory filing.

The State lottery concluded its investigation into the incident on April 5 and as a result, some 538,959 individuals had their names and social security numbers exposed.

Ohio Lottery said there’s no evidence to suggest that the stolen and subsequently leaked data has been misused by any malicious parties, but has offered all of those affected the standard 12 months of credit monitoring and ID theft protection.

It confirmed at the time that the intrusion didn’t affect its gaming systems and lotto lovers were still safe to continue buying tickets, although lucky winners of sums exceeding $599 weren’t able to cash out their prizes for some time as a result of the attack.

The organization has not attributed the attack to any group or individual, however, the miscreants who work for the DragonForce ransomware gang – not to be confused with the Malaysian hacktivists – claimed responsibility for the incident shortly after it was first disclosed.

DragonForce, if you can believe anything that the Hasbro toy-sounding gang says, now claims the 1.5 million records, or 94 GB worth of data, it allegedly stole is available to download in a CSV format via its leak blog. It also reckons that dates of birth are included in the file – a data type not mentioned in Ohio Lottery’s filing.

The most up-to-date description of its data haul represents a significant downgrade from the more than 3 million records it claimed to have stolen at the time, which allegedly also included home addresses and the sums won from tickets.

Whether or not ransomware was involved isn’t known, but the group is understood to have an established ransomware variant in circulation, which Cyble believes is based on the leaked LockBit Black builder

DragonForcers are also known to use double extortion tactics, which means one can’t rule out the possibility of a pure extortion attack either, as many cybercrims have switched to in recent years.

“Please accept our apologies that this incident occurred,” said Ohio Lottery in the letter to victims. “We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. 

“We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information.” ®