Hackers Steal Iowa Gaming Workers’ Private Info

We hope there won’t be any horse-trading of data involving employees of casinos and horse race tracks in Iowa – unfortunately, a breach involving the state’s Racing and Gaming Commission has left the personal identifying information of 80,000 individuals exposed to hackers.

According to eSecurity Planet , the hackers used a server based in China to exploit an unpatched firewall to access one of the commission’s databases. The compromised information included the names, Social Security numbers, addresses and birth dates of jockeys, trainers, card dealers and other workers who need a license to work in state-run casinos and race tracks. In the wrong hands, such information could be a recipe for identity-related crimes including the opening of fraudulent credit accounts and securing of employment under false pretenses. That’s why personal data is a black market commodity.

Most of the people in the database live in Iowa, but some are from Illinois, Minnesota, Nebraska, South Dakota and Wisconsin.

The commission said in a statement that it’s “unaware of any incident of identity theft related to this breach.” That may be true – for the time being. Unfortunately, it can take weeks, months, or even years for victims to detect the wide range of identity-related crimes that can result from data having fallen into the wrong hands. Writing on the Des Moines Register web site, a member of the Iowa State University Center for Information Protection, Steffen Schmidt, argues that “no one who hacks such a data base do so just for fun.”

In a statement regarding the incident , the commission suggests that those affected by the breach may place a 90-day fraud alert on their accounts with the three major credit-rating agencies: Experian, TransUnion and Equifax. Those individuals ought to do so – a fraud alert will signal potential creditors to verify identification before new accounts are opened. It’s a shame, however, the onus is on casino employees to protect themselves from a situation they didn’t create.

Investigators said hackers breached the state computer system Jan. 26 during a routine maintenance procedure. The firewall had not been properly updated with a security patch. The affected server was shut down 15 minutes after the breach was detected. 

Although the investigators said China was the source of the incident, it’s not known whether the attack originated within that country or simply employed a server based there. Last month, Google announced that it and at least two dozen other companies had been infiltrated by hackers in China through a vulnerability in Internet Explorer.

Ambient Consulting, the Minneapolis-based company that maintains Iowa’s computer network, says the security flaw has been fixed. “There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall,” Ambient CTO Robert Keller has stated.