Hackers are believed to have compromised the accounts of approximately 26,500 National Lottery players.
Camelot, a company which operates the Lottery, launched an investigation after it detected suspicious activity on a small fraction of its 9.5 million registered online players. So far, the firm has determined that the hackers did not gain access to its internal systems and databases. Instead it suspects the attackers reused players' login credentials from other hacked web services.
Its investigation into the incident is ongoing. As Camelot explains in a statement:
"We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.
"We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed."
The company has suspended all 26,500 accounts affected by the incident, which includes 50 accounts whose personal details someone changed. Camelot is currently working to contact each of the account owners and assist them in re-activating their accounts securely and creating a new password.
In the meantime, they're working with the National Crime Agency and the National Cyber Security Centre to investigate the criminal matter. They've also reached out to the Information Commissioner's Office (ICO).
A spokesperson for the ICO confirmed as much to BBC News:
"Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today.
"The Data Protection Act requires organisations to do all they can to keep personal data secure - that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.
"Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department."
To protect themselves and their corporate data against password reuse attacks, it's up to each organization to educate their users about password security, including how they can and should use strong passwords for each of the web services they use. Organizations can go about to raise awareness among their workforce via the help of third-party security training software.
Does this course of action sound of interest to you?