Pierluigi Paganini
May 11, 2024
On Christmas Eve, a cyberattack targeting the Ohio Lottery resulted in the exposure of personal data belonging to 538,959 individuals. The organization is notifying the impacted people.
Attackers gained access to names or other personal identifiers in combination with Social Security Numbers of the impacted individuals.
“On or about December 24, 2023, the Ohio Lottery detected unauthorized access to our internal office network as a result of a cybersecurity incident that resulted in the exposure of the data we maintain. The incident did not impact the gaming network,” reads the notice of data breach sent to the impacted individuals. “After an extensive forensic investigation and our manual document review, we learned on April 5, 2024 that certain files containing your personal information was subject to unauthorized access.”
Ohio Lottery is providing impacted individuals free credit monitoring and identity theft protection services through IDX.
The company added that there is no evidence that the stolen information had been abused in fraudulent activities.
The DragonForce ransomware group claimed responsibility for the attack and the theft of 94GB of data.
“Long negotiations that seem to have led to nothing, about 1.500.000 records that contain (SSN, DOB) Ohio Lottery clients. This is about 12% of the population of the state of Ohio and these are just our conservative estimates.” reads the message published by the group on its Tor leak site. “Especially for your convenience, we have exported records from the database into a convenient CSV format, and you also have the opportunity to download full copies of the databases. Ohio Lottery themselves were warned that people could suffer, which in general apparently does not bother them at all, these are the consequences of negligence.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
