Earlier this month, Brightstar Lottery Group notified the Rhode Island Attorney General’s Office and impacted individuals about a data breach that compromised the personal information of over 6,000 R.I. residents. The company is the state’s exclusive lottery supplier through 2043.
Most of the impacted individuals — 103,879 across several states — are current or former employees of Brightstar, which was formerly known as International Game Technology. Seventeen of the impacted individuals are lottery players from Rhode Island, Brightstar spokesperson Mike DeAngelis wrote in an email to The Herald.
The breached information may have included names, dates of birth, government identification documents and numbers, as well as contact and financial account information, according to Kimberly Houston, another spokesperson for Brightstar.
While lottery players are not typically required to present information upon buying a ticket, they must present a government-issued photo identification and a Social Security number to collect a prize over $600.
Brightstar became aware of the breach on Nov. 17, 2024, according to DeAngelis. Two days later, the company disclosed the breach to the U.S. Securities and Exchange Commission and on its website.
R.I.’s Identity Theft Protection Act requires that non-government entities notify the R.I. Attorney General’s Office and impacted individuals within 45 days of confirming the breach and gathering any relevant information. Once these requirements are met, the law requires the notifications to “be made in the most expedient time possible.”
On Aug. 21, Brightstar completed its internal review of the incident. “Due to the complex and unstructured nature of the impacted data, a detailed, manual and time-consuming review of the data was necessary to determine what and whose personal information was involved,” DeAngelis wrote.
On Oct. 3 — over 10 months after the breach occurred — Brightstar “notified the R.I. attorney general’s office and sent data breach notices to individuals,” DeAngelis wrote, adding that the notice came “within the required 45-day window” that began Aug. 21.
“We are not aware of any misuse of personal information,” DeAngelis wrote. “As a precaution, we are offering all impacted individuals 24 months of credit monitoring, fraud detection or dark web monitoring” through a third-party service, he wrote.
Last week, a class action lawsuit was filed against Brightstar in the U.S. District Court of Rhode Island alleging cybersecurity negligence and personal injury claims. DeAngelis declined to comment on the suit.
The breach could lead to further private or state-led legal action against Brightstar. Several law offices announced investigations into the matter, focusing on whether Brightstar’s timing of notification violated state or federal laws and potential class action lawsuits.
Under state law, plaintiffs may recover up to $100 for a “reckless violation” of the Identity Theft Protection Act, and up to $200 for a “knowing and willful violation.”
State law also permits the attorney general to bring legal action. A spokesperson for R.I. Attorney General Peter Neronha P’19 P’22 did not respond to a request for comment on whether Neronha would investigate the breach.
Earlier this year, a bill was introduced in the R.I. General Assembly that would have raised the penalty for violations of the Identity Theft Protection Act. The bill died in committee in the House and in the Senate after a full vote by the chamber.
Senate Majority Leader Frank Ciccone (D-Providence, Johnston) chairs the General Assembly’s Joint Committee on State Lottery Documents. In response to an inquiry to Ciccone about the breach, Greg Pare, director of communications at the R.I. State Senate, referred The Herald to the Rhode Island Lottery.
Mark Furcolo, director of the Rhode Island Lottery, said in a statement sent to The Herald that there are “no indications that the Rhode Island Lottery’s systems were impacted” by the data breach.
Furcolo did not address whether the breach would change the Rhode Island Lottery’s relationship with Brightstar.
Lev Kotler-Berkowitz is a senior staff writer covering city and state politics. He is from the Boston area and is a junior concentrating in Political Science and Economics. In his free time, Lev can be found playing baseball or running around with his dog.
