3 min read

Lottery security chief found guilty of hacking Hot Lotto to win $14.3 million

Graham CLULEY

July 23, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Lottery security chief found guilty of hacking Hot Lotto to win $14.3 million

If you’re hired as the head of IT security for an association that runs lotteries, chances are that the requirement to stop people hacking your lottery is pretty high in the job description.

What is much less likely to appear in the list of duties you’re expected to fulfil is installing a malicious rootkit via a USB stick onto the lottery random-number-generating computer in order to fix the draw in such a way that you walk away with the multi-million dollar prize.

And yet, that’s what 52-year-old Eddie Tipton did at the Multi-State Lottery Association (MUSL), which runs major lotteries across the United States, including Hot Lotto, Mega Millions and Powerball.

This week a court decided that Tipton planted malware onto the lottery computer that he was supposed to be protecting, allowing him to calculate the winning numbers for Iowa’s Hot Lotto draws in advance.

As we previously reported on Hot for Security, on December 23 2010 a hooded figure walked into the Quick Trip store on East 13th Street, off Interstate Highway 80 in Des Moines, Iowa, and bought what turned out to be the lottery ticket.

When, after almost a year, the ticket which had won $14.3 million was finally claimed anonymously, investigators’ suspicion was aroused.

CCTV footage of the lottery ticket’s purchase was released by the authorities, ultimately bringing Tipton’s name to the attention of the authorities after a co-worker identified him.

There is one piece of digital evidence that can hurt the defense and Tipton’s credibility: his cell phone records. They show he was in Iowa when the tickets were purchased and not in Texas, where he claims to have been instead.

Despite attempts to receive the lottery wins via a complex network of lawyers and intermediaries, the money was never paid out, and Tipton was charged with fraud.

In his defense, Tipton claimed he had been in Texas at the time the winning lottery ticket had been purchased in Des Moines, Iowa, but his cell phone records told a different story.

As one of only four or five staff with security clearance to the lottery’s so-called “draw room”, a self-declared fascination with rootkits, and video evidence that Tipton entered the room on November 20, 2010 as cameras recorded only one second every minute rather than running continously, things were never looking great for the chief of IT security.

After a week-long trial, Tipton was found guilty of two counts of fraud. He is due to be sentenced at a hearing on September 9th, and could face up to 10 years in prison.

Iowa Lottery CEO Terry Rich released a statement, reported by The Des Monines Register, attempting to reassure members of the public that the lottery could be trusted:

“Our lottery has strong layers of security to protect lottery players, lottery games and lottery prizes,” Rich said. “This case has provided our lottery with an opportunity to better pinpoint potential security risks and update our procedures to protect against them.”

However, there seems to be no denying – even if the ill-gotten lottery winnings were never paid out – that security at the lottery *had* failed.

An individual was able to make unauthorised changes to the computer generating the supposedly random numbers for the lottery – changes which went unnoticed for some time.

It was only red tape involving the pay-out of the large cash prize that prevented the fraud from succeeding.

And, as with the high profile hacks of Ashley Madison and Hacking Team, it seems that once again the thing to worry about may have been the insider threat of rogue employees or contractors rather than the risk of being breached by strangers.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read