Lottery Security Issues Could Put Bank Info At Risk

A new audit of the Montana State Lottery found that with the new services added to the lottery with the introduction of sports betting in 2020, security requirements are not being met, possibly compromising people’s credit card and bank data.

The report found that with the implementation of sports betting and new services, the Montana Lottery is not playing a significant enough role in actively monitoring, making sure the subcontractors hired to carry out the new services meet security requirements.

“Current security requirements are not being met,” the report said. “Multiple documents from the contracting process outline security requirements for Lottery’s operating system. However, the contractor has not met requirements in regard to security planning, subcontractors, securing remote access, business continuity, continuity testing, and backup services.”

The Montana Lottery is primarily run by contractor Intralot, which has various locations across the United States as well as dedicated staff assigned to the Montana Lottery within Helena. Intralot oversees and runs the main lottery operations, including random number generators, independent verification of lottery operations, and the newly established Sports Bet Montana system.

With the introduction of sports betting, Intralot brought on subcontractors to handle things like identity and location verification. As the contractors and subcontractors move further away from the purview of the Montana Lottery, security risks increase, the report said.

“As supply chains grow, visibility and control over the data flow within the supply chain shift from the central organization. Due to the decentralization, the risk of attacks grows exponentially,” the report said.

The auditors made five recommendations to the lottery to beef up security, and the lottery concurred with all five.

One of the recommendations was clearly defining security requirements in its contract with Intralot: “Specific security requirements are scattered throughout a document that is over 800 pages, and tools for enforcing these requirements are not clearly stated or defined. Vague security requirements and enforcement tools within the contract set the tone for passive contract management practices.”

The report found that third security assessments of Intralot and the third-party contractors it uses to run the lottery were not stated as a requirement in the state’s contract signed with Intralot in 2016.

“Lottery relies heavily on contractors and subcontractors to provide services for Lottery operation. Controls are needed to manage third-party contracts and agreements to maintain security and integrity of gaming operations,” the report said.

The Montana State lottery was created in 1987. In 2020, lottery from online and scratch ticket games were around $60 million — a $3.7 million decrease from 2019. However, with the addition of sports betting, the lottery increased sales to more than $112 million in 2021, according to the report. On Wednesday, the report was presented to the Legislative Audit Committee, which unanimously voted in favor of the lottery implementing the five recommendations outlined in the report to boost security.

The report also found that current security assurances do not cover critical cybersecurity risks: “The gaming system contractor covers a few aspects of IT, but it is only those that would impact transactions and financial statements. It does not include critical areas such as risk management and mitigation procedures, change management, system configuration, vulnerability, or patching.”

In the report, the lottery said it agrees with the audit’s finding. And to address the issue, it said by March 2022, and it “will combine all IT Security language from all Lottery Operating System contract documentation to create a single point of reference to be used by the Lottery and vendor to enforce contract requirements.”

Recommendations included making sure there are more defined policies and procedures for continuity management that address business functions’ administrative details and recovery strategies, formalizing testing plans within sports betting to ensure functionality and legality align, and more testing and training in continuity management.