ICO begins investigation after Camelot detected ‘suspicious activity’ on player online accounts earlier this week
Earlier this week it said that as part of its regular online security monitoring it had become aware of suspicious activity on a very small proportion of online National Lottery Accounts.
But it said there had been no unauthorised access to core National Lottery systems or any databases, and no money had been withdrawn.
Camelot said that email addresses and passwords could have been obtained elsewhere, and used to try and access National Lottery accounts.
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” the firm said in a statement.
It said it doesn’t hold full debit card or bank account details in players’ accounts, but admitted that some personal information could have compromised.
“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed,” it warned. “Of our 9.5 million registered online players, we believe that around 26,500 players’ accounts were accessed.”
Apparently 50 of these accounts had their personal details changed, and while the changes could have come from the players themselves, it has taken the precaution of suspending the accounts of these players.
Camelot said at the time it would help these players re-activate their accounts securely.
“In addition, we have instigated a compulsory password reset on the accounts of the 26,500 affected players,” said Camelot. “We are in the process of proactively contacting them to help them change their passwords, as well as giving them some more general online security advice.”
“We are also working closely with the National Crime Agency and the National Cyber Security Centre on an ongoing basis on this criminal matter,” it said. “We’d like to reassure our customers that protecting their personal data is of the utmost importance to us. We are very sorry for any inconvenience this may cause to our players.”
Meanwhile the Information Commissioner’s Office (ICO) has launched an investigation into the matter.
“We are aware of this incident and we have launched an investigation,” the data protection watchdog said. “Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today.”
“The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyber attacks,” the ICO added. “Where we find this has not happened, we can take action. Organisations should be reminded that cyber security is a matter for the boardroom, not just the IT department.”
The Camelot compromise comes quickly after a similar incident at the online food delivery company Deliveroo.
A BBC investigation revealed a hack of ‘scores’ of its customers were charged for food they never ordered.
Like Camelot, the firm denied that it systems had been compromised and it urged customers to utilise better password security.
How well do you know data security? Take our quiz!