Maryland Gaming Agency Audit Raises Security Concerns

The agency's computer network was not sufficiently protected and allowed insecure connections to critical devices, according to auditors.

by Matthew Bieniek, Cumberland Times News / April 21, 2015

(TNS) — Computer security and payments of unclaimed slot machine proceeds were the two concerns outlined by state auditors in a financial compliance audit of the Maryland Lottery and Gaming Control Agency. The agency administers lottery games, video lottery (slots) programs and table gaming in Maryland.

Revenue from the games supports the state’s general fund, education trust fund and other state funds to the tune of $2.6 billion in gross revenue over fiscal 2014, or about $942 million distributed to various state accounts, according to the audit.

Some people who play the slots don’t cash out, though, and that’s where auditors discovered a problem. After 182 days, unclaimed voucher amounts, printed out at the slot machines and not cashed, become the state’s money. In 2013, the total unclaimed amounts were $704,000. Under current regulations, all of that money should have been placed in state accounts. However, auditors said $347,000 was distributed to nonstate entities, including casino operators, instead of solely to the state. Auditors left something of an out for the agency, though, one on which the agency followed through.

Auditors said that the agency could seek a change in regulations to conform with the method by which the unclaimed funds were distributed.

The agency has proposed a regulation allowing it to continue to distribute the funds based on the same formula used to distribute all other video lottery proceeds. In a response to the audit dated April 13, acting agency director Gina M. Smith said the regulation change and other fixes requested in the audit were being pursued.

“We take these findings seriously and many of the recommendations have been implemented or are in the process of being implemented,” Smith wrote.

The regulations has been published in the Maryland Register, with comment closing April 20. After the comments are reviewed, the regulation could be revised.

Computer network security also concerned auditors, who pointed out the following problems:

• “The firewalls installed to protect the ... network allowed unnecessary and insecure connections to network devices on the internal network. The firewalls’ rules were not configured to adequately secure connections into the network from the Internet, networkMaryland, and other untrusted sources. ... Therefore, critical network devices were susceptible to attack which could result in a loss of data integrity or the interruption of critical network services,” auditors said.

• An insecure connection protocol transmitted unencrypted data, including user identifications and passwords for the administration of the system firewall.

• Network workstations and servers (approximately 220 devices) were not sufficiently protected against malware.

• Workstations and servers tested had not been updated with the latest releases for software products that are known to have significant security-related vulnerabilities.

The agency said the problems have been fixed and that software will be updated properly in the future.

The time period covered by the audit was from March 2011 through March 19, 2014. The audit was conducted by the Office of Legislative Audits of the Department of Legislative Services, Maryland General Assembly.

©2015 the Cumberland Times News (Cumberland, Md.) Distributed by Tribune Content Agency, LLC