Major Iowa Lottery Snafu: Thousands of Past Winners’ Social Security Numbers Get Released

Posted on: September 27, 2017, 11:55h. 

Last updated on: September 27, 2017, 10:08h.

Iowa Lottery officials are red-faced, and have apologized after accidentally releasing 2,967 social security numbers of winners from 2011 to a college professor doing lottery research that covered the past 30 years.

Terry Rich Iowa Lottery snafu
Iowa Lottery CEO Terry Rich (seen here in 2012) has apologized, after his office inadvertently released nearly 3,000 social security numbers to a journalism professor doing research. (Image: Charlie Neibergall/timesunion.com)

Jeff Kelly Lowenstein, an assistant journalism instructor at Grand Valley State University outside of Grand Rapids in Michigan requested the information for a project and posted the hidden data on a website, which was discovered more than a week later.

The mistake was acknowledged at a meeting of the organization on Tuesday and the lottery’s attorney Rob Porter told the Des Moines Register the exposure was accidental.

“We take it extremely seriously,” he said. “It was an inadvertent error, and the lottery is very sorry this occurred.”

A statement was released later in the day by Iowa Lottery CEO Terry Rich, who said his office takes responsibility for the blunder.

“This release of sensitive data was unintentional,” he said. “As we have said many times through the years, human involvement in any process means it will not be perfect.”

Error Online For 10 Days

Lowenstein had requested lottery data in April going all the way back to 1985 through an open records request. Employees needed time to comb through the more than 30 years of winners and apparently it was on multiple databases.

They worked to put the material into one spreadsheet for the professor. During that process, someone inadvertently included the sensitive figures.

Lowenstein, unaware of the still-hidden info, then published it in mid-September. Only that one year’s social security numbers were given out and even then the numbers in the category field were hidden.

But one viewer of the professor’s research site called the commission and told them he had figured out a way to reveal the numbers with just a few extra steps. Lowenstein told the Des Moines Register he was contacted by lottery counsel Porter and immediately took down the webpage.

“Quite honestly, I was stunned when I got the call,” he said. “We deleted it immediately.”

Security Breach Onslaught

Before he was so informed, however, the page had seen by more than 100 people. Lowenstein said it had 119 unique views, but was uncertain how many people had actually downloaded the information.

Rich said that the nearly 3,000 owners of the leaked social security numbers were being contacted.

“We are offering those impacted access to a credit-monitoring service and reviewing our procedures to identify improvements that can be made as we move ahead,” he said in a press release.

The gaffe comes just as large companies are increasingly seeing their databases infiltrated by hackers. A recent major hack at credit agency Equifax released sensitive information, including social security numbers and other personal data, of 143 million Americans, or almost half the country’s population.