The UK National Lottery operator, Camelot, admitted today that the personal details of 26,500 online lottery players may have been accessed by hackers. Camelot said it became aware of suspicious activity on the accounts on Sunday during routine security monitoring.
While the operator claimed there had been no unauthorized access to core National Lottery systems, which would affect draws or payments, the attack may have resulted in personal information held in online accounts being accessed.
“Of our 9.5 million registered online players, we believe that around 26,500 players’ accounts were accessed,” said Camelot in an official statement. “A much smaller number, fewer than 50, have had some activity take place within the account since it was accessed.”
“This was limited to some of their personal details being changed, and some of these details may have been changed by the players themselves. However, we have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely. In addition, we have instigated a compulsory password reset on the accounts of the 26,500 affected players.”
Passwords Stolen from Other Platforms?
The operator is currently investigating just how hackers were able to execute the data-breach without compromising its own systems. It believes that email addresses and passwords used in the breach may have been stolen from customers who used the same log-in details on multiple platforms.
Camelot described its systems as “extremely robust” but added that the hackers used multiple different IP addresses over a short period of time.
But not everyone is buying the explanation. At least one customer, who had been contacted about the breach by Camelot via email, confirmed via Twitter that his username and password are completely unique to the National Lottery site.
Questions about Camelot Security
Meanwhile, cybersecurity expert Troy Hunt told the BBC today that while there had been cases of hackers stealing log-in details from one platform and using them to breach another, there are still serious questions to be asked about Camelot’s security measures.
“If there’s 26,500 accounts here and they are saying the credentials are correct but they didn’t come from us, they still let an attacker log in 26,500 times,” he said. “That alone is something that illustrates a deficiency.”
The Information Commissioner’s Office, the UK’s data protection watchdog, said it had launched an investigation into the matter to determine whether Camelot had breached the Data Protection Act.
“The Data Protection Act requires organizations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action,” it said in an official statement.
“Organizations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.”