ktsdesign - Fotolia

Thousands of National Lottery accounts hacked

National Lottery operator Camelot says the log-in details of thousands of people who do the lottery online have been stolen

The online log-in details of National Lottery players have been hacked, but no money has been stolen, according to National Lottery operator Camelot.

There are 9.5 million national lottery players registered online, but Camelot said only around 26,500 accounts were accessed. It added that fewer than 50 accounts have had suspicious activity, such as personal details being changed, since the breach.

The company said it unearthed “suspicious activity on a very small proportion of our players’ online National Lottery Accounts” during its online security monitoring on 28 November 2016.

It added that there has been no unauthorised access to core systems. “In addition, no money has been deposited or withdrawn from affected player accounts,” said Camelot.

“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”

The company said it is now trying to find out what happened, but it believes that “the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details”.

The affected accounts have been suspended and Camelot will contact the account holders to re-activate them. Camelot added that it is working with the National Cyber Security Centre on the incident. 

Chris Hodson, European, Middle East and Africa chief information security officer at cloud security company Zscaler, said: “With the General Data Protection Regulation looming for kick-off in 2018, we have to wonder how the National Lottery would have responded if such requirements were imposed on them today.”

“To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites,” he added.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Web application security

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Note entirely surprised by this. Camelot used to only allow a login username/password, but recently updated it so that you could use your registered email address instead of the username. The username for most accounts therefore was not their email address. 

Such a stupid change to make without notifying users first and asking if they actually want to use their email address. I didn't want this change yet it was made on my account regardless.

There is nothing like good security, and this is indeed nothing like...

JohnC.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close