Federal Contractor Allowed Clients to Use Its Servers to Bet on Sports in the US
Posted: September 23, 2014
Updated: June 4, 2017
A United States security contractor ran a sports betting site on its servers, exposing federal email addresses.
There is a lot of controversy surrounding sports betting and internet gambling in the US, but things just got more serious after it was discovered that a federal contractor hired to help the government with its background check operations was involved in an online wagering operation.
Bets on National Collegiate Athletic Association championships were placed via a website hosted on one of the contractor’s corporate servers, and the operation resulted in the public disclosure of hundreds of names, along with personal information, corporate and government email addresses of those who used the service.
Perfect opportunity for hackers
The Professional and Amateur Sports Protection Act of 1992 makes it illegal to run a betting service in the US, except in the following states:
• Nevada
• Delaware
• Oregon
• Montana
American gambling laws forbid online sports betting, and some experts suspect whoever set up the website intended for the information to get out. The web service was public and hosted under a company domain.
While officials insist there was never any security risk, experts say a list of email addresses associated with a federal contractor leaves the door open for hackers, making it easy for them to attack both the company, and its clients and contacts. Furthermore, records were removed from the company website, but they are still visible on Google.
Neal O’Farrell, a security expert at CreditSesame said: “This is just perfect for a hacker. Every person on this list is a much easier and more vulnerable target than they were before.”
According to Phil Becnel, managing partner of Dinolt Becnel & Wells Investigative Group, the problem goes beyond a simple email address.
“It’s also potentially a login and an opportunity to phish someone connected to the target,” he explained. “So, from the standpoint of an adversary, a list of employees and their personal email addresses would be a pretty good place to start if you wanted to hack a company.”
Keep calm, your information is safe
Meanwhile, the company insists that the security of its computers, servers and databases were kept safe, despite the improvised online bookmakers being publicly hosted. Besides, only a “few NT Concepts-related individuals” participated in the pool, it added.
In a recent statement, executive vice president Chris Cusano said: “The March Madness pool was hosted on an external server that was completely separate from the company’s internal servers, systems and databases these are protected by the company’s firewall.”
“We do not have sensitive customer information on our network, nor do we intend to host such information. There is simply no connection between the March Madness pool that we shut down years ago and NT Concepts’ cybersecurity today.”
The firm was recently awarded an Office of Personnel Management contract, being responsible of supporting background investigative services. It denied its involvement in the betting operation, claiming the website was set up by someone from outside the company.
According to the records, players who participated in the pool used checks, credit cards and PayPal as payment methods. Company representatives said they don’t condone office pools. The president of the firm was involved on a personal voluntary basis, they added.
Company and Army officials betting
Even though the betting operation was stopped, the online records discovered by The Times are still fully visible on Google. More than 340 unique names and email addresses are shown on the Internet, exposing everyone who participated in the pool.
Data indicated NT Concepts president, Michele Bolos, was also involved. Using the phone number shown in the records, the newspaper contacted an Army official, but he refused to comment. The tournament pool went on for years.
In 2011, NT Concepts announced that it had won an $18.5 million contract spanning over five years, to support background investigation services. The company was also hired to conduct records searches for the Office of Personnel Management (OPM). While it provides support services, the firm is not involved in field work.
It’s still unclear whether OPM officials knew about the wagering site, which has eventually been shut down, but the incident certainly raises some questions about the integrity of the company.