Thousands of customer accounts on the National Lottery website may have been compromised.
Camelot said it believes that “around 26,500 players’ accounts were accessed”, but fewer than 50 accounts have had activity take place since the hack.
The National Lottery operator said it became aware of “suspicious activity” on a number of players’ online National Lottery Accounts on Monday.
The Guru reached out to the cyber security community to get reactions to the latest data breach.
Alex Cruz-Farmer, VP at NSFOCUS:
“This is a great example of where hackers are getting smarter, and are systematically testing username and passwords across a full spectrum of victim websites. With these persistent and systematic attacks, it is showing how vulnerable we, as users, are without the right security mechanisms in place. This is also a great reminder to everyone to stay vigilant, and to try and avoid using the same passwords across multiple platforms and websites”.
Lee Munson, security researcher for Comparitech.com:
“The fact that the National Lottery has seen players’ accounts hacked is hardly surprising, given the fact that all companies should be asking when it will happen to them, not if. It’s also no more of a surprise to learn that those behind the attack have likely used login credentials stolen from elsewhere on the web. Such an approach is becoming increasingly common, mainly because the average user recycles the same one or two passwords across all of their accounts.
While Camelot has done the right thing in freezing some accounts and enforcing password changes, it really is up to everyone to take more responsibility for their own security by using different login credentials for every single account they sign up for. If using multiple different passwords sounds tricky, do not worry, as password managers can make that aspect of your online security very easy indeed.”
Alex Mathews, EMEA technical manager, Positive Technologies:
“Big consumer brands which hold vast amounts of personal details are pay-dirt for cybercriminals. They often hold massive databases of information which can be used for follow-up attacks on other services. The people contacted should make sure they keep a close eye on their online accounts for phishing and other suspicious activity. If anything looks awry, then it is probably best to treat it with caution. Now is probably a good time for the affected people to change their passwords across the board.”
Gavin Millard, EMEA technical director, Tenable Network Security:
“Rather than the usual breach being caused by an insecure web application, blurting out confidential information with a carefully crafted request, Camelot are claiming the breach of 26,500 user accounts are due to the credentials being swiped from another website not related to The National Lottery and used to login.
“With so many systems being breached, reusing the same password on multiple sites is a major risk. If your password is exposed on one breach, this can be leveraged against many other systems to cause further losses and exposure of personal details. Users should protect themselves against simple attacks like this by having individual passwords for any site that holds personal details. Password management is a pain, but with so much of our personal details being stored online and entrusted by more organisations than ever before, it is necessary to protect yourself from fraudulent activity by practising good password use.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic:
“The National Lottery breach highlights the challenge all organisations face today – and reiterates the fact that consumers have a significant role to play in protecting their online accounts. Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through continuous monitoring, 24×7, and being able to distinguish normal from abnormal, organisations can identify and act against sophisticated attackers. Front the statement given by Camelot their monitoring uncovered the breach but the breach likely occurred due to poor password management from their customers.
“Consumers will be forced to change the password on their National Lottery account, and any other accounts that use the same password. However they need to ensure that they don’t use the same password for other accounts, You should keep track of all the user accounts and passwords you maintain on the Internet.
“A passphrase is also highly recommended, instead of a password. You can take a common phrase and create a pattern that means something to you, then add minor edits as a way to keep passphrases different. An example is: The sun rise is great today. A simple passphrase could be: Tsr!Gr82day. The passphrase is 11 characters long and contains number, upper/lower case letters and a symbol. The exclamation mark (!) substitutes for the “i” in the word is. You can add something specific to make the passphrase different on multiple accounts.
This really demonstrates that no brand is safe and whilst organisations need stringent security policies and technologies, consumers play a role in the security of their accounts.”
Nick Brown, group managing director at GBG:
“Whilst National Lottery has told users that financial information was not leaked, this data breach is by no means of less significant concern. Card details can be replaced but the other – more personal – information, such as your name, your job and where you live can easily be pieced together by criminals, who browse, haggle and sell personal details on the dark web, and use it for identity theft.
It’s sadly got to a point that you have to assume your identity, at some point, will be compromised. In the first instance, identity thieves will use the real identity of an individual and thereafter, create synthetic identities compiled from elements of the data stolen from a user. Organisations, therefore, need to learn from these hacks – especially as they become more common – and use more data, analytical insights and triangulation of multiple identity proofing techniques to minimise the effects of identity theft for both the user and the businesses serving them. In short, the more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks.”
James Romer, Chief Security Architect EMEA, SecureAuth Corporation:
“This is not the first breach of this kind, Three Mobile, Deliveroo and now the National lottery and all in the span of a month. While steering clear of password reuse and adopting a password manager to allow for complex passwords will improve a consumer’s personal cybersecurity posture, today’s incident underlines the need to strengthen access controls. For too long organisations have relied on passwords as the single form of access control and it is simply not strong enough, nor adequate to protect vital applications and data. Multi-factor, adaptive authentication, renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts. Particularly on sites like the National Lottery where money deposits are stored and customers save their card details for convenience, leaving them left with holes in their bank accounts too. Luckily, on this occasional no money or banking credentials were obtained. However this should serve as a stark reminder of why organisations must strengthen their defences against cyber adversaries by employing cutting edge adaptive authentication.”
David Navin, Head of Corporate at Smoothwall:
“The cyber hack of National Lottery accounts highlights that financial details are not always an attacker’s end game, and demonstrates how something as simple as an email address and password can be all they need to cause damage. This once again has emphasised the issue of end users not updating or using a variety of complex passwords for different accounts, thus making them vulnerable as we’ve seen with this latest breach.
“However, the onus also lies with the companies themselves, who have a responsibility to safeguard their customers’ data and information even if the end users are not. In a digital world where companies are interconnected, hackers will look to find their weak spots and points of entry which can be through a supplier or a partner that doesn’t see itself as an appealing target. Such companies are not only an attractive option to hackers – they are often an easy one.
“No matter how big or small, all companies must protect their data and that of their partners and suppliers. They need to comply with regulation and build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance. Companies need to have all the measures and contingency plans in place so that if a breach does occur, they are able to recover and instil customer confidence as soon as possible.”
John Madelin, CEO of RelianceACSN:
“There are some interesting features associated with the data breach suffered by the National Lottery website. First, it was a vulnerability suffered through interaction with third parties, a consistent weakness in today’s online partnerships. Another common feature is the gap between the hackers getting in, and capitalizing on their position. Usually the time between compromise and theft is wide enough to cause serious cash loss, in this case it appears they didn’t take money or target Camelot’s financials, yet.
“This also highlights the fact that there are many motives that drive hackers beyond direct financial gain and that a compromise is a first step to finding and stealing valuable assets of many kinds, including data such as emails and passwords which in the wrong hands are hugely valuable. In the National Lottery’s case it looks like the cyber criminals were after personal data which they would be able to sell on the black market at a later date, and first indications suggest that Camelot was able to step in before serious damage was done. To avoid situations such as this, organisations need to understand the hidden value of the data they hold and why criminals might find it valuable – one man’s trash could be a cybercriminal’s treasure.”
Andy Herrington, Head of Cyber Professional Services in UK & Ireland at Fujitsu:
“The statement by Camelot once again draws attention to the cyber challenge presented to today’s enterprise. While it appears that 26,500 National Lottery players’ accounts were accessed, it is interesting to note that Camelot’s response is very different from many incidents reported over the course of this year.
“It appears to be very much a pro-active statement which seeks to re-assure users by providing details of the incident in a very controlled way which is easy to understand. The fact that Camelot’s monitoring systems have played a clear role and that they have been able to investigate the incident, threat vector and impact quickly also demonstrates a level of maturity and control.
“While it is yet another incident it does clearly demonstrate that organisations which prepare themselves appropriately, including monitoring and forensic services underpinned by effective incident processes, are better prepared for what many consider ‘the inevitable’. This is the direction that many organisations will need to take in preparation for GDPR.”
Chris Hodson, EMEA CISO at Zscaler:
“Cybercriminals may have hit the holiday jackpot with over 26,500 registered National Lottery users. With no technical details included in the National Lottery’s statement about how the data was exfiltrated, just that it was, we can only speculate as to the tactics of these hackers. The act of stealing personal information from these accounts but leaving financial credentials untouched, also highlights that the motives of the criminals was not immediate financial fraud but highly sought personal identifiable information.
“The National Lottery have now outlined that no payment details or money were accessed, but that does not lessen the impact of the breach. Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale.
“With the General Data Protection Regulation looming for kick-off in 2018, we have to wonder how the National Lottery would have responded if such requirements were imposed on them today?
“To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises.”
from National Lottery data breach – Industry Reaction