Stories As They Appeared in the
Dallas Morning News & AP Wire News
Posted: Sunday, Sept 12, 2008
Revised: Sept 30, 2008
(My New Comments & 2nd Dallas Morning News Story Added on 9/30/08)
Search Warrant Reveals Findings
Update - 9/30/08
On Sept 10, 2008, I originally reported that personal info on lottery winners, retailers and
TLC employees had been compromised. On Sept 12, I posted the first news story that appeared.
I am now posting a follow up story but I'm commenting first regarding the "findings" reported.
The officer who filed his findings - via the search warrant - with the court had NO way of
knowing precisely what was really contained in those files. Common sense says that
someone had to tell him and my guess is that it was someone with the Texas Lottery who
identified the information found. The point is - WE don't really know if it "only" low tier winners,
"only" new retailers, or which TLC employees personal data was really compromised.
Because identity theft is such a serious matter, I strongly suggest that
all of you watch your accounts - just to be safe.
Both winners and TLC employees have commented about their disgust with the TLC over
this matter. They have been told to watch their accounts but have to do this at their own expense.
While the TLC is trying to convince us that they have "top notch" security, this is clearly not true.
Here's why ...
How many of you have been to the grocery store where the clerk either needed to cancel
a transaction or just open his drawer where you saw that it required him to call a supervisor
or a manager over "give him permission" to open his drawer. Well, to "copy a file" that
contains sensitive information should require "permission" to COPY from a Director of
the Lottery or at least the immediate supervisor. As you all know, this feature is available for any
of us with computers and should have been used by the TLC to protect this info.
They have "backups" on large drives, they don't need people copying "sensitive"
files onto CD's. Especially when it doesn't even require someone else to give the
employee permission to copy the sensitive files just like you see in the grocery stores.
For those of you who would like to read the very interesting search warrant, click here. pdf
Now, read the follow-up story that appeared in the Dallas Morning News about this issue.
As if Appeared in the
By KAREN BROOKS
Comments in red made by
AUSTIN A former Texas Lottery Commission computer analyst told investigators that he copied the personal data of more than 27,000 Texas lottery winners by accident, simply by downloading his own work files off his computer and taking them to his next job, according to arrest warrants.
But the commission isn't yet working to change its information-technology security systems so that doesn't happen again, even inadvertently, officials say. Instead, the agency is waiting until after a felony criminal investigation into the case, in which a 39-year-old Austin man could be charged with possession of unauthorized information.
WHAT? Why not make some changes now - you know sensitive files were copied onto a CD. Why not at least password protect sensitive files NOW? You should certainly require supervision for copying files containing sensitive info. You OWE the People of Texas this peace of mind.
"In a very general sense, we always look at our process," said commission spokesman Bobby Heith. "As in any business, we look at processes where we may or may not need to improve. Whether this is one of them or not, I'm not aware that there's any current process going on to look at IT security. The investigation will answer those types of questions."
The names and Social Security numbers of 27,075 mid-level lottery winners people who have won prizes from $600 up to around $1 million were on the employee's hard drive. Also included were the names, Social Security numbers and, in a handful of cases, bank routing and account numbers of 639 current and former commission employees and 534 lottery retailers.
There have been no reports that the information has been used inappropriately, but in a letter sent out on Sept. 11, commission officials advised that the recipients put a fraud alert on their credit reports and check their bank statements.
Mr. Heith declined to answer many specific questions about the case, saying the commission doesn't want to get in the way of the investigation. The Travis County District Attorney's office and the Texas Comptroller's Office, where the employee worked until recently, are handling the case.
He said the security system, in which only a few employees have access to sensitive information and are instructed by both agency policy and the law not to download it or copy it, is in compliance with security standards set out by the Texas Department of Information Resources. But the agency's IT security clearly isn't good enough, said
"The employee made a very stupid mistake. He should not have had anything personal in his work computer where he would need to copy anything," Ms. Nettles said. "But by the same token, the [lottery commission] is at fault for having sensitive information in files with no protection that would have prevented it from being copied in the first place."
The employee was a computer programmer who dealt with programs that sent financial and employee information to the comptroller's office. He left the commission in 2007 to take a job with the Texas Department of Transportation, then moved to comptroller's office.
The ex-employee told investigators that before resigning from the lottery, he had "indiscriminately" copied on to a CD/DVD the entire contents of the "My Documents" on his computer. He said he wanted to retain "personal files and computer programming work for possible future reference as a programmer at other state agencies." He had then downloaded them on to his work computer, which was searched by comptroller's officials after they received a tip.
Read the very interesting search warrant, click here. pdf
(9/12/08) Comments by
The Texas Lottery has known about this very serious compromise
of employee, winners and retailers personal information for
the past 3 weeks. Yet they told NO ONE. This should be
a CRIME ... silence is not always golden.
One lotto winner HAS reported to me that she had identity theft
in the past 2 to 3 weeks. Of course, there is NO way of knowing
if her theft is related to this incident.
If you have made ANY claims, your personal
info may be floating the internet. Protect yourselves.
The following stories explain it all.
Former Texas Lottery employee investigated for storing personal information at home
The Dallas Morning News
By KAREN BROOKS
Thursday, September 11, 2008 - 11 PM
The Associated Press contributed to this report.
AUSTIN Authorities are investigating a former employee of the Texas Lottery Commission who illegally had the personal information of some employees, lottery winners and retailers stored on a home computer.
The criminal investigation, which started about three weeks ago, involves the Texas comptroller's office and the Travis County district attorney's office, lottery spokesman Bobby Heith said. He declined to give other details, saying he didn't want to jeopardize the investigation. The employee at one point worked at the Texas comptroller's office, which is why that agency is involved.
Lottery winners and other employees are being notified, some just this week, about the fact that their personal information which includes driver's license and Social Security numbers could be compromised.
Mr. Heith declined to say how many people might be affected or how long the commission had known about the incident before they started notifying people.
A news release by the agency Thursday said "certain TLC employees, certain licensed retailers, and certain prize winners" could be affected.
Assistant District Attorney Beverly Matthews said the Travis County district attorney started its investigation about three weeks ago.
Criminal probe of ex-Lottery employee launched
By JAY ROOT Associated Press - 7 PM
Sept. 11, 2008
AUSTIN Authorities have launched a criminal investigation of a former Texas Lottery employee who gained possession of unauthorized data, officials said Thursday.
"We have received a criminal referral and we are investigating that case," said Assistant District Attorney Beverly Mathews. "I'm not at liberty to make any other comment."
The Texas Lottery Commission disclosed the ongoing investigation in a cryptically worded, three-paragraph statement that did not name the employee or disclose which state officials are investigating the allegations. The agency said the employee had gained access to information about "certain TLC employees, certain licensed retailers, and certain prize winners."
The agency said letters are being sent "to all potentially affected parties, informing them of the alleged unauthorized possession of data." The Lottery Commission said there was no indication that the information had been shared with others.
Mathews said the Travis County District Attorney's office started the investigation about three weeks ago.
Under the Texas Penal Code, the "fraudulent use or possession of identifying information" is considered a felony.
In 2006, the Texas State Auditor's Office discovered a series of "security-related weaknesses," particularly in the agency's computer systems and database. The audit found that the lottery commission did not "sufficiently document and enforce policies and procedures to protect its automated resources," including measures related to network access, password security and computer firewall systems.
Computer system weakness was also the subject of a recent whistleblower lawsuit at the Texas Lottery. The agency paid nearly $100,000 to settle a lawsuit filed by a former employee who said he was fired for going public about problems with a vital computer system, according to a report last month in the Fort Worth Star-Telegram.
The employee, former lottery systems analyst Shelton Charles, had warned that the computer's backup computer system had never worked properly and that the state would be out millions of dollars if the mainframe crashed.
Comments - E-mail Us