Cyber Incident Victim: National Lottery

On September 30, 2017, Camelot Group experienced a distributed denial of service (DDoS) attack targeting the National Lottery website and mobile application. The attack commenced around 6:00 PM and lasted approximately 90 minutes, disrupting service until 7:30 PM that evening. During this period, hackers flooded the digital platforms with excessive online traffic, overwhelming systems and preventing legitimate users from accessing ticket purchasing functions. The outage specifically impacted players attempting to buy lottery tickets through the website or mobile app. Camelot confirmed the incident publicly, characterizing it as part of a broader pattern affecting many companies. Retail ticket sales remained operational throughout the attack, with Camelot directing affected customers to its network of 46,000 physical retailers as an alternative purchasing channel. The company issued a formal apology to players for the inconvenience caused by the service disruption.

This marked the second significant cybersecurity incident affecting Camelot's National Lottery operations within a twelve-month period. In November 2016, unauthorized actors had compromised approximately 26,500 online lottery accounts, accessing customer information through undisclosed means. The 2017 DDoS attack differed in methodology and immediate impact, focusing on service availability rather than data exfiltration. Camelot's public response to the DDoS incident emphasized operational transparency regarding the attack duration and affected systems while assuring continuity of retail sales channels. No technical details about mitigation measures or attacker attribution were disclosed in the public statement. The consecutive security events highlighted recurring vulnerabilities in Camelot's digital infrastructure, though the company did not disclose whether the two incidents were related or involved similar threat actors.