The National Lottery is advising all 10.5million people with online accounts to change their passwords following a security breach that happened days before tonight’s £14million Euromillions draw.
Camelot, the lottery operator, said hackers had made attempts to access accounts and that limited information may have been viewed.
The mass attack, said to have been done using a technique known as “credential stuffing,” was successful in accessing some 150 accounts and in a small number, “some activity” took place within the account.
It urged all online customers to change their passwords, particularly if they use the same email address and passwords for several sites.
Camelot said no customers had lost any money. It is contacting all 10.5 million online customers and put a warning on its website stating:
“As part of our regular security monitoring, we have seen some suspicious activity on a very small number of players’ accounts.
“We have directly contacted those players whose accounts have been affected. We are advising players to change their password as a precaution, particularly if they use the same password across multiple websites.”
Camelot said the hacking attack appeared to have begun on March 7.
A spokesman said:
“Since then, the activity has been extremely low level and very sporadic – and almost indistinguishable from normal player activity.”
The tactic of credential stuffing is said to involve using computers to fire the same email address and password combination at a large number of websites in a bid to get access to an account.
The combination of email address and password will have been leaked and sold to fraudsters.
Camelot said it had reported the security breach to the police and the Information Commissioner’s Office and was liaising with the National Cyber Security Centre.
The Information Commissioner’s Office said it had launched an investigation into the matter. A spokeswoman commented,
“Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today,”
“The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.
“Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.”
Camelot added that there has been no unauthorised access to core National Lottery systems or any of its databases. They confirmed that emails sent out were legit, and players should change their details as soon as possible.
It added:
“We would like to reassure our players that we do not display full debit card or bank account details on their online National Lottery accounts. We have suspended all of the affected accounts and have directly contacted these players to help them re-activate their accounts securely.”
