Third Party Cyber Security Incident
Eighteen Kentucky Lottery 2017 and 2019 Wheel of Fortune promotion trip attendees affected by third-party security incident
The Kentucky Lottery Corporation contracted with a third-party vendor, IGT Group (now known as Brightstar Lottery Group) (“Brightstar), in 2017 and 2019 to provide a Wheel of Fortune licensed game and to administer and fulfill associated second chance promotion trip prizes. To fulfill the trip prizes, Kentucky Lottery provided Brightstar with certain personal information of the trip winners and guests.
On November 17, 2024, Brightstar discovered that an unauthorized third party gained access to certain of its business systems. Lotteries were notified of the unauthorized access, and Brightstar confirmed that no Lottery systems were impacted. This incident did not occur at the Kentucky Lottery.
Upon discovery, Brightstar took immediate action to resecure its impacted systems, investigate the incident, and report the incident to law enforcement.
Due to the complex and unstructured nature of the impacted data, Brightstar engaged a third party to conduct a manual review of the data to determine what personal information was impacted in accordance with applicable laws, and then, who Brightstar had received the data from.
As a result of the review, Brightstar determined that the incident involved some personal information of eighteen (18) individuals provided to Brightstar by the Kentucky Lottery in administering and fulfilling second chance promotion prize trips. Brightstar further confirmed that no Kentucky Lottery systems were affected by this security incident.
The personal information involved may have included, in part or whole, name, contact information, date of birth, passport or military ID or government identification number such as driver’s license number or Social Security number.
Brightstar mailed a notification letter to the eighteen (18) individuals impacted on September 26, 2025. Brightstar will offer impacted individuals two (2) years of complimentary credit monitoring services. In response to the security incident, Brightstar implemented additional security and monitoring measures and notified law enforcement.
Brightstar has established a dedicated toll free number at +1 (866) 819-2404 for impacted individuals. The Kentucky Lottery can be reached at the address and phone number below:
Kentucky Lottery Corporation
1011 West Main Street
Louisville, KY 40202
+1 502-560-1612
Additional Steps That Can Be Taken
Individuals who may be involved are recommended to remain vigilant for incidents of fraud or identity theft by reviewing their account statements and free credit reports for any unauthorized activity. Individuals may obtain a copy of their credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-916-8800
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Kentucky Attorney General’s Office. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission and Kentucky Attorney General’s Office is as follows:
Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580, www.identitytheft.gov, 1-877-IDTHEFT (438-4338)
Kentucky Attorney General’s Office, 1024 Capital Center Drive, Suite 200, Frankfort, KY 40601, www.ag.ky.gov, 502-696-5389
Fraud Alerts and Credit or Security Freezes:
Fraud Alerts: There are two types of general fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for one year. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years.
To place a fraud alert on your credit reports, contact one of the nationwide credit bureaus. A fraud alert is free. The credit bureau you contact must tell the other two, and all three will place an alert on their versions of your report.
For those in the military who want to protect their credit while deployed, an Active Duty Military Fraud Alert lasts for one year and can be renewed for the length of your deployment. The credit bureaus will also take you off their marketing lists for pre-screened credit card offers for two years, unless you ask them not to.
Credit or Security Freezes: You have the right to put a credit freeze, also known as a security freeze, on your credit file, free of charge, which makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your report, they may not extend the credit.
How do I place a freeze on my credit reports? There is no fee to place or lift a security freeze. Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit reporting company. For information and instructions to place a security freeze, contact each of the credit reporting agencies at the addresses below:
- Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com
- TransUnion Security Freeze, PO Box 2000, Chester, PA 19016, www.transunion.com
- Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com
You'll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit bureau will provide you with a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
How do I lift a freeze? A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after getting your request.
If you opt for a temporary lift because you are applying for credit or a job, and you can find out which credit bureau the business will contact for your file, you can save some time by lifting the freeze only at that particular credit bureau. Otherwise, you need to make the request with all three credit bureaus.
