Skip to main content

National lottery data breach: Industry reaction and analysis

National Lottery operator Camelot announced this morning that around 26,500 accounts may have been hacked, with the company suspecting that the login details had been stolen previously and re-used on Lottery accounts.

As the news of yet another data breach hits the headlines, various industry professionals have offered their reaction and analysis.

David Kennerley, Director of Threat Research at Webroot:

"The data breach suffered by the National Lottery and Camelot is the latest in a spate of breaches where scammers have accessed online accounts through passwords and emails addresses obtained elsewhere. Consumers need to understand the importance of proper password management and avoiding recycling logins for multiple services, especially if the service deals with financial and personal data.

"The forced password reset for the 26,500 accounts affected is exactly the right response. We would also recommend that anyone who is concerned about their account should change their password, especially if you have re-used the credentials across multiple online services."

James Maude, senior security engineer at Avecto:

“This hack is part of a continuing trend of credential stuffing, where passwords from one breach are reused to gain access to other accounts to harvest more personal information. Users need to be aware of the dangers of reusing passwords especially when these cross the boundary between personal and business accounts.

“Though Camelot believe fewer than 50 customers have had activity take place within their accounts, it’s yet another wakeup call for organisations to bolster the security of customer data. Taking proactive steps to secure systems and monitor for breach attempts, rather than reactive measures after an event. Camelot has moved quickly in responding to this breach, locking down accounts, triggering compulsory password resets and contacting for those affected directly. That has to be commended, unfortunately most companies aren’t quite so vigilant.”

Chris Hodson, EMEA CISO at Zscaler:

“Cybercriminals may have hit the holiday jackpot with over 26,500 registered National Lottery users. With no technical details included in the National Lottery’s statement about how the data was exfiltrated, just that it was, we can only speculate as to the tactics of these hackers. The act of stealing personal information from these accounts but leaving financial credentials untouched, also highlights that the motives of the criminals was not immediate financial fraud but highly sought personal identifiable information.

“The National Lottery has now outlined that no payment details or money were accessed, but that does not lessen the impact of the breach. Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale. With the General Data Protection Regulation looming for kick-off in 2018, we have to wonder how the National Lottery would have responded if such requirements were imposed on them today?

“To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises.”

Andy Herrington, Head of Cyber Professional Services in UK & Ireland at Fujitsu:

“The statement by Camelot once again draws attention to the cyber challenge presented to today’s enterprise. While it appears that 26,500 National Lottery players’ accounts were accessed, it is interesting to note that Camelot’s response is very different from many incidents reported over the course of this year.

“It appears to be very much a pro-active statement which seeks to re-assure users by providing details of the incident in a very controlled way which is easy to understand. The fact that Camelot’s monitoring systems have played a clear role and that they have been able to investigate the incident, threat vector and impact quickly also demonstrates a level of maturity and control.

“While it is yet another incident it does clearly demonstrate that organisations which prepare themselves appropriately, including monitoring and forensic services underpinned by effective incident processes, are better prepared for what many consider ‘the inevitable’. This is the direction that many organisations will need to take in preparation for GDPR.”

Image source: Shutterstock/Ai825