Camelot, operator of the UK's National Lottery, has announced that 26,500 online Lottery accounts have been breached, possibly due to password reuse.
It does not believe its own systems have been compromised, nor that any systems connected to the lottery draw itself have been affected.
In a statement, the company said: "We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.”
Camelot became aware on the issue on Monday and said it had seen no money taken or added to any of the compromised accounts. Suspicious activity was identified on fewer than 50 of the accounts.
Camelot added, “The accounts [breached] represented a small fraction of the draw's 9.5 million registered online players.”
Camelot said: "We do not hold full debit card or bank account details in National Lottery players' online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed."
Camelot is contacting the owners of the accounts thought to have been compromised and instructing them to change their passwords.
It said: “Cyber-criminals such as this are persistent, and we are continuing to monitor and protect our systems. We are also working closely with the National Crime Agency and the National Cyber Security Centre on an ongoing basis on this criminal matter.”
Alex Cruz-Farmer, VP at NSFOCUS, told SC: “This is a great example of where hackers are getting smarter and are systematically testing usernames and passwords across a full spectrum of victim websites.”
Chris Hodson, EMEA CISO at Zscaler, told SC: “The National Lottery have now outlined that no payment details or money were accessed, but that does not lessen the impact of the breach. Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale. With the General Data Protection Regulation looming for kick-off in 2018, we have to wonder how the National Lottery would have responded if such requirements were imposed on them today?”
Ollie Whitehouse, technical director at NCC Group, told SC: “Companies are increasingly consuming post-breach threat intelligence of other companies to mitigate the effects against their services. If this had been done in this instance the impact would have likely been far less.”