Lottery IT security boss guilty of hacking lotto computer to win $14.3m

Iowa state lottery's IT security boss hacked his employer's computer system, and rigged the lottery so he could buy a winning ticket in a subsequent draw.

On Tuesday, at the Polk County Courthouse in Des Moines, Iowa, the disgraced director of information security was found guilty of fraud.

Eddie Tipton, 52, installed a hidden rootkit on a computer system run by the Multi-State Lottery Association so he could secretly alter the lottery's random number generator, the court heard. This allowed him to calculate the numbers that would be drawn in the state's Hot Lotto games, and therefore buy a winning ticket beforehand.

The prosecution said he also tampered with security cameras covering the lottery computer to stop them recording access to the machine.

The winning ticket, worth $14.3m after the draw in December 2010, was bought by a customer in a Des Moines QuikTrip gas station who kept his or her face hidden by a hoodie. Lottery bosses released the video of the purchase to the public in hope of tracking down the winner, and Tipton was identified as the punter by a coworker. That's when investigators stepped in.

Meanwhile, two teams of lawyers – one in Canada and one in the US – separately tried to cash the winnings, but could not prove they bought the winning ticket. One of the legal eagles said they were hired by Robert Rhodes, a Texas man who happened to be Tipton's best friend, to cash the winning ticket, The Des Moines Register reports.

Several former colleagues of Tipton told the court that the voice and mannerisms of the ticket's purchaser matched the security boss's behavior. Jason Maher, the lottery association's IT director, also testified that Tipton had told him that he had access to a rootkit, although the software was never found, because the company's hard drives had been wiped.

Appeal looms

The lack of computer evidence, and the testimony of Tipton's siblings that the ticket's purchaser wasn't their brother, was cited by defense lawyer Dean Stowers as evidence that the case against his client was flawed. He said Tipton plans to appeal the verdict.

"I'm not particularly surprised by the verdict," Stowers said, "because in a case where a jury is allowed to speculate on what occurred without actual evidence of what occurred, a jury can engage in all sorts of leaps of logic."

The case highlighted several weaknesses in the security setup at the Multi-State Lottery Association, with hard drives that could have contained evidence being wiped and security footage from cameras being stored improperly. It also called into question the efficacy of the computer system used to generate the winning ticket.

"The next guy not only can figure out how to do it, but having seen what happened here, can figure out how to cover his tracks and not make the same mistakes this Tipton guy made," said Joey George, an Iowa State University professor of information systems.

Nevertheless, Iowa lottery CEO Terry Rich insisted that the state lottery was now secure, and that improvements have been made. The prize money has since been returned to the organization and used for other payouts.

"There is no doubt this has been a fascinating case," Rich said in a statement. "We respect the court's work and the jury's verdict. The facts in this case have enabled us to further enhance our layers of security to protect the integrity of lottery games, and that ultimately has been a positive."

After a week-long trial, the jury convicted Tipton on two counts of fraud. Rhodes faces similar charges. Tipton could be sentenced to ten years in prison, although he is free on bail pending his appeal. ®