Personal information has been leaked from 26,500 accounts.
The UK National Lottery may have been hacked, says operator Camelot. The firm does not believe its systems have been compromised, but rather, says login information from upwards of 26,500 players had been stolen from other places and used to access accounts at the lottery. The company also says that no money has been taken from or added to the accounts in question. Suspicious activity has however been observed in fewer than 50 of the accounts, and an investigation has been launched by the Information Commissioner’s Office.
“Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today,” said a spokesperson. “The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action. Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.”
Camelot became aware of the breach this Sunday, and released a statement in response: “We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details. We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
A spokesperson added that the compromised accounts made out only a small portion of the organization’s 9.5 million registered members. The affected users have been contacted by Camelot and urged to change their passwords. One security expert told the BBC that this is one of many recent attacks in which hackers steal login details from one site and then test them on another. Other recent attacks have hit Deliveroo, PlayStation Network and Tesco Bank.