26,500 National Lottery accounts have been hacked, according to parent company Camelot Group.
In a statement on the topic, Camelot announced that the hackers used credential stuffing techniques to gain access to user accounts, but that no money had been taken and the National Lottery’s own systems had not been compromised.
“There has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes,” the company said.
Changes were made to fewer than 50 accounts, which Camelot has suspended for the time being. Users who may have been affected are being notified, and the incident has been reported to the Information Commissioner’s Office (ICO).
“Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today,” said an ICO spokeswoman. “The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.”
Though Camelot emphasises that its own systems were not compromised and that the credential combinations were likely reused from breaches of other websites, some argue that it should still take some of the blame.
“They still let an attacker log in 26,500 times,” said security researcher Troy Hunt. “That alone is something that illustrates a deficiency.”
“We do have extremely robust systems in place. However, cybercriminals are very persistent and, in this case, used multiple, different IP addresses over a short period of time,” said a Camelot spokesperson. “As soon as we detected significant increase in both attempted and failed log-ins, we were able to quickly take action to block them.”