The Iowa Racing and Gaming Commission this week is warning more than 80,000 licensed casino and racing employees that hackers managed to exploit an unpatched firewall to access a government database containing their names, Social Security numbers, addresses and birth dates.
Commission officials said the hackers were able to infiltrate the state computer system on Jan. 26 during a routine maintenance procedure. The state shut down the affected server 15 minutes after the breach was detected.
A subsequent forensic investigation determined that the firewall had not been properly updated with a patch, giving hackers the opportunity to penetrate the network through the security hole.
The investigation also found that China was the source of the hacking incident, although state officials said there's no way to guarantee those responsible for the cyber attack were actually in China, or simply using a server based in the country to launch their assault.
The state contracted with Minneapolis-based Ambient Consulting to provide maintenance and support service for the network.
Ambient officials said the security vulnerability has since been fixed and that it would work with the commission to improve the network's security.
"There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," Ambient CTO Robert Keller said in a statement.
Officials said most of the people in the licensing database are Iowa residents, but it also includes residents of Illinois, Minnesota, Nebraska, South Dakota, Wisconsin and other states. The data was collected from workers such as jockeys, trainers, slot machine technicians and card dealers who are required to obtain a license to work in the state-regulated casinos and racetracks.
"We regret that this incident has occurred," the commission said in a statement.
"The Iowa Racing and Gaming Commission is unaware of any incident of identity theft related to this breach," it added, reassuring affected employees that they could place a 90-day fraud alert by contacting the appropriate however you may place a 90-day fraud victim alert on your credit report by contacting the three major credit bureaus.
Security software vendors in recent months have repeatedly warned government agencies and private sector companies that coordinated hacking attacks originating from outside the U.S. are becoming more frequent and sophisticated.
The most recent and glaring example of suspected nation-sponsored cyber terrorism came to light last month when Google revealed that its networks and those of more than two dozen other U.S. companies were infiltrated by Chinese hackers -- or possibly by hackers hired by or sympathetic to the Chinese government -- through a flaw in Microsoft's Internet Explorer browser.