Camelot UK Lotteries has confirmed an incident that they estimate affects around 26,500 online player accounts. They are in the process of contacting them all.
The National Cyber Security Centre (NCSC) has been working with the National Crime Agency (NCA) and Camelot UK Lotteries to investigate the incident.
A criminal investigation is now underway under the leadership of the National Crime Agency.
Due to the type of data involved our advice for National Lottery customers with online accounts is:
- Follow Camelot’s advice and ensure you reset the password on any service where you’ve used a similar password.
- If you are generally concerned, you can look on services like www.HaveIBeenPwned.com to see if your username or email address has been involved in a breach. You should definitely take action if you are listed, but services like this are not 100% accurate.
- Users should always enable two factor authentication (also known as two step authentication or two step login) where services support it.
Even if you are not a Camelot customer but have used a service that’s previously reported a data breach, you should reset the password on every service where you’ve used a similar password.
Secondary fraud and phishing is sometimes enabled by a data breach. You should be aware of any attempted communication purporting to be from Camelot. Advice for individuals on how to create strong passwords can be found on Cyber Aware.
Advice for organisations
As the national authority on cyber security, the roles of the National Cyber Security Centre in an incident of this kind are to:
- Provide all possible support to law enforcement;
- Work with the company concerned to manage the incident and bring it to a conclusion;
- Investigate the root causes of the incident and factor in any lessons learned to future guidance and policy on cyber security.
In the case of cyber related attacks, it can, on certain occasions, take a significant period of time to understand the incident given the technical complexities involved. And it is vital that nothing is said publicly that could interfere with law enforcement inquiries.