Cyber Incident Victim: National Lottery
Date:
Nov 2016
Location:
United Kingdom
Summary
Approximately 26,500 online accounts associated with the National Lottery were compromised due to credential stuffing, where attackers used login details likely stolen from other platforms. The lottery operator stated its own systems remained secure, with no financial transactions occurring, though personal information in some accounts was accessed and suspicious activity occurred on fewer than 50 accounts. Following detection of unusual login attempts from multiple IP addresses, the operator blocked the activity, notified affected users to reset passwords, and reported the breach to regulators, prompting an investigation into compliance with data protection obligations. A security expert highlighted concerns that the scale of successful unauthorized logins indicated potential authentication vulnerabilities despite the company's defense of its security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 27, 2016, Camelot, operator of The National Lottery, detected unauthorized access attempts targeting player accounts. The company identified approximately 26,500 compromised accounts from its 9.5 million registered online users, representing less than 0.3% of the total user base. Camelot's investigation concluded its systems remained secure, attributing the breach to credential stuffing attacks where hackers reused login credentials stolen from unrelated third-party platforms. No financial transactions occurred—neither withdrawals from nor deposits to affected accounts—as the system did not store full debit card or bank account details. However, personal information stored within user profiles may have been accessed during the incident. Camelot observed additional suspicious activity on fewer than 50 accounts beyond the initial credential compromises. The Information Commissioner's Office (ICO) initiated an investigation after receiving Camelot's breach notification on November 29, emphasizing organizational responsibility for data protection under the Data Protection Act.
Camelot responded by directly notifying affected account holders and mandating password resets. The company defended its security protocols, explaining that cybercriminals employed multiple IP addresses to conduct rapid login attempts, which triggered detection systems through abnormal traffic patterns. Security expert Troy Hunt questioned Camelot's account security measures, noting that 26,500 successful logins indicated insufficient authentication controls despite the credential reuse. Camelot countered that its systems blocked further attempts after identifying the surge in failed and successful logins. The ICO reinforced that cybersecurity required executive-level attention, not just IT department oversight. No evidence emerged of financial harm to users, though the potential exposure of personal data remained a documented consequence. Camelot maintained throughout that no internal system vulnerabilities facilitated the breach, attributing all access to externally compromised credentials.