The ransomware attack on the Ohio Lottery affected over 538,000 people

​The Ohio Lottery is sending data breach notification letters to over 538,000 people affected by a cyberattack that hit the organization’s systems on Christmas Eve.

A filing with the Maine Attorney General’s Office found that the incident affected 538,959 people. The attackers gained access to the names, social security numbers and other personal identifiers of the affected individuals.

“On or about December 24, 2023, the Ohio Lottery discovered unauthorized access to our internal office network due to a cybersecurity incident, which resulted in the exposure of the data we maintain. The incident had no impact on the gaming network,” the Ohio Lottery said.

“Following an extensive forensic investigation and our manual document review, we learned on April 5, 2024 that there was unauthorized access to certain files containing your personal information.”

According to the Ohio Lottery, no evidence was found that the stolen information was used for fraud. Still, “out of an abundance of caution,” it is offering free credit monitoring and identity theft protection services to anyone potentially affected.

Breach claimed by DragonForce ransomware

While the Ohio Lottery did not disclose the nature of the incident that impacted mobile and sweepstakes operations, the DragonForce ransomware gang claimed responsibility for the attack days later.

The threat actors claimed they encrypted devices and stole documents from Ohio Lottery customers and employees.

A post added to the ransomware group’s dark web leak site on December 27 said the attackers had stolen over 3 million records. After negotiations failed, on January 22, the gang leaked four .bak archives and several CSV files that were allegedly stolen from the Ohio Lottery’s systems.

According to DragonForce, the 94 GB of leaked data contains only 1,500,000 records containing the names, social security numbers and birth dates of Ohio Lottery customers.

While the DragonForce ransomware is a relatively new operation, with its first victim revealed in December 2023, the tactics, negotiation style and data leak point suggest an experienced extortion group.

Since their leak page now lists nearly four dozen victims and law enforcement has disrupted many ransomware operations in recent months, it wouldn’t be surprising if this was a rebranding of a previously known gang.

The DragonForce ransomware also reported a cyberattack that impacted the IT systems of Japanese probiotic beverage maker Yakult in Australia and New Zealand in mid-December.

Yakult announced the attack after the ransomware gang allegedly leaked 95GB of data stolen from the company’s compromised servers.