The National Lottery has admitted that 26,500 players’ online accounts may have been hacked and, in some cases, had their personal details changed.
It should be noted that the accounts compromised represent only a small fraction of the draw’s 9.5 million registered online players, although any potential data breach is, of course, not good.
Camelot, who operate the National Lottery, have said that it did not believe its own systems were hacked. It suspects that player’s login details have been stolen from another source, which one is not yet clear.
The compromised accounts have not had any money taken from them, or added to them, according to Camelot.
>See also: Another day, another hack: Deutsche Telekom
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” it said in a statement.
“We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited.
“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
The company was made aware of the data breach on Sunday and informed The Information Commissioner’s Office (ICO).
“Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today,” said a spokeswoman for The ICO.
“The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyber attacks. Where we find this has not happened, we can take action.”
“Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.”
Due to the potential hack consumers will have to change their passwords on their National Lottery accounts.
“However they need to ensure that they don’t use the same password for other accounts,” suggests Oliver Pinson-Roxburgh, EMEA director at Alert Logic.
A passphrase, he goes on to explain, is also highly recommended, instead of a password.
“You can take a common phrase and create a pattern that means something to you, then add minor edits as a way to keep passphrases different.”
“An example is: The sun rise is great today. A simple passphrase could be: Tsr!Gr82day. The passphrase is 11 characters long and contains number, upper/lower case letters and a symbol. The exclamation mark (!) substitutes for the “i” in the word is. You can add something specific to make the passphrase different on multiple accounts.”