An unpatched firewall protecting the sensitive data stored on a server at the Iowa Racing and Gaming Commission gave hackers the opening they needed to access the personal data of more than 80,000 people. eSecurity Planet explains what went wrong and what lessons other government agencies can learn from the security breach.
The Iowa Racing and Gaming Commission this week is warning more than 80,000 licensed casino and racing employees that hackers managed to exploit an unpatched firewall to access a government database containing their names, Social Security numbers, addresses and birth dates.
Commission officials said the hackers were able to infiltrate the state computer system on Jan. 26 during a routine maintenance procedure. The state shut down the affected server 15 minutes after the breach was detected.
A subsequent forensic investigation determined that the firewall had not been properly updated with a patch, giving hackers the opportunity to penetrate the network through the security hole.
The investigation also found that China was the source of the hacking incident, although state officials said there’s no way to guarantee those responsible for the cyber attack were actually in China or simply using a server based in the country to launch their assault.