Cyber criminals appear to be using passwords and email addresses from previous breaches to gain access to 26,000 online UK National Lottery accounts.
Camelot, the company behind the National Lottery, detected the scam and subsequent attempted frauds and responded by locking down accounts, triggering compulsory password resets and contacting those affected directly. Although 26,500 accounts were compromised, Camelot reckons fewer than 50 have had some activity take place within the accounts and that this was limited to some of their personal details being changed.
In a statement, Camelot downplayed the significance of the incident - which didn’t result in financial fraud but might nonetheless have exposed the personal details of thousands.
We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes. In addition, no money has been deposited or withdrawn from affected player accounts.
We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.
Camelot added that it was “working closely” with the National Crime Agency and the National Cyber Security Centre over criminal access to its systems.
James Maude, senior security engineer at global cyber security firm Avecto, said the incident represents the latest in a growing line of similar attacks, which ultimately depend on consumers reusing passwords on multiple sites.
“This is part of a continuing trend of credential stuffing, where passwords from one breach are reused to gain access to other accounts to harvest more personal information,” Maude said. “Users need to be aware of the dangers of reusing passwords especially when these cross the boundary between personal and business accounts.”
“Though Camelot believe fewer than 50 customers have had activity take place within their accounts, it’s yet another wakeup call for organisations to bolster the security of customer data. Taking proactive steps to secure systems and monitor for breach attempts, rather than reactive measures after an event,” he added.
The credential stuffing attack against Camelot customers follows shortly after a technically similar attack against users of online takeaway firm Deliveroo that resulted in victims being charged for food they did not order. Victims were reimbursed and Deliveroo has promised to improve the security of its systems by requiring additional checks before delivering food to new addresses, among other measures.
UK data privacy watchdogs at the ICO said that the body has launched an investigation into the incident. It said Camelot had notified it prior to going public this morning.
Ollie Whitehouse, technical director at NCC Group, added: “This latest hack is yet another example of why people should use different and strong passwords for all online accounts due to the lack of transparency with regards to how they are held. Although individual breaches like this might seem small or harmless, they could eventually have more serious consequences for individuals who choose to recycle the same passwords.” ®