Thousands of customer accounts on the National Lottery website may have been compromised.
Camelot said it believes that “around 26,500 players’ accounts were accessed”, but fewer than 50 accounts have had activity take place since the hack.
The National Lottery operator said it became aware of “suspicious activity” on a number of players’ online National Lottery Accounts on Monday.
The Guru reached out to the cyber security community to get reactions to the latest data breach.
Alex Cruz-Farmer, VP at NSFOCUS:
“This is a great example of where hackers are getting smarter, and are systematically testing username and passwords across a full spectrum of victim websites. With these persistent and systematic attacks, it is showing how vulnerable we, as users, are without the right security mechanisms in place. This is also a great reminder to everyone to stay vigilant, and to try and avoid using the same passwords across multiple platforms and websites”.
Lee Munson, security researcher for Comparitech.com:
“The fact that the National Lottery has seen players’ accounts hacked is hardly surprising, given the fact that all companies should be asking when it will happen to them, not if. It’s also no more of a surprise to learn that those behind the attack have likely used login credentials stolen from elsewhere on the web. Such an approach is becoming increasingly common, mainly because the average user recycles the same one or two passwords across all of their accounts.
While Camelot has done the right thing in freezing some accounts and enforcing password changes, it really is up to everyone to take more responsibility for their own security by using different login credentials for every single account they sign up for. If using multiple different passwords sounds tricky, do not worry, as password managers can make that aspect of your online security very easy indeed.”
Alex Mathews, EMEA technical manager, Positive Technologies:
“Big consumer brands which hold vast amounts of personal details are pay-dirt for cybercriminals. They often hold massive databases of information which can be used for follow-up attacks on other services. The people contacted should make sure they keep a close eye on their online accounts for phishing and other suspicious activity. If anything looks awry, then it is probably best to treat it with caution. Now is probably a good time for the affected people to change their passwords across the board.”
Gavin Millard, EMEA technical director, Tenable Network Security:
“Rather than the usual breach being caused by an insecure web application, blurting out confidential information with a carefully crafted request, Camelot are claiming the breach of 26,500 user accounts are due to the credentials being swiped from another website not related to The National Lottery and used to login.
“With so many systems being breached, reusing the same password on multiple sites is a major risk. If your password is exposed on one breach, this can be leveraged against many other systems to cause further losses and exposure of personal details. Users should protect themselves against simple attacks like this by having individual passwords for any site that holds personal details. Password management is a pain, but with so much of our personal details being stored online and entrusted by more organisations than ever before, it is necessary to protect yourself from fraudulent activity by practising good password use.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic:
“The National Lottery breach highlights the challenge all organisations face today – and reiterates the fact that consumers have a significant role to play in protecting their online accounts. Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through continuous monitoring, 24×7, and being able to distinguish normal from abnormal, organisations can identify and act against sophisticated attackers. Front the statement given by Camelot their monitoring uncovered the breach but the breach likely occurred due to poor password management from their customers.
“Consumers will be forced to change the password on their National Lottery account, and any other accounts that use the same password. However they need to ensure that they don’t use the same password for other accounts, You should keep track of all the user accounts and passwords you maintain on the Internet.
“A passphrase is also highly recommended, instead of a password. You can take a common phrase and create a pattern that means something to you, then add minor edits as a way to keep passphrases different. An example is: The sun rise is great today. A simple passphrase could be: Tsr!Gr82day. The passphrase is 11 characters long and contains number, upper/lower case letters and a symbol. The exclamation mark (!) substitutes for the “i” in the word is. You can add something specific to make the passphrase different on multiple accounts.
This really demonstrates that no brand is safe and whilst organisations need stringent security policies and technologies, consumers play a role in the security of their accounts.”
Nick Brown, group managing director at GBG:
“Whilst National Lottery has told users that financial information was not leaked, this data breach is by no means of less significant concern. Card details can be replaced but the other – more personal – information, such as your name, your job and where you live can easily be pieced together by criminals, who browse, haggle and sell personal details on the dark web, and use it for identity theft.
It’s sadly got to a point that you have to assume your identity, at some point, will be compromised. In the first instance, identity thieves will use the real identity of an individual and thereafter, create synthetic identities compiled from elements of the data stolen from a user. Organisations, therefore, need to learn from these hacks – especially as they become more common – and use more data, analytical insights and triangulation of multiple identity proofing techniques to minimise the effects of identity theft for both the user and the businesses serving them. In short, the more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks.”
James Romer, Chief Security Architect EMEA, SecureAuth Corporation:
“This is not the first breach of this kind, Three Mobile, Deliveroo and now the National lottery and all in the span of a month. While steering clear of password reuse and adopting a password manager to allow for complex passwords will improve a consumer’s personal cybersecurity posture, today’s incident underlines the need to strengthen access controls. For too long organisations have relied on passwords as the single form of access control and it is simply not strong enough, nor adequate to protect vital applications and data. Multi-factor, adaptive authentication, renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts. Particularly on sites like the National Lottery where money deposits are stored and customers save their card details for convenience, leaving them left with holes in their bank accounts too. Luckily, on this occasional no money or banking credentials were obtained. However this should serve as a stark reminder of why organisations must strengthen their defences against cyber adversaries by employing cutting edge adaptive authentication.”
David Navin, Head of Corporate at Smoothwall:
“The cyber hack of National Lottery accounts highlights that financial details are not always an attacker’s end game, and demonstrates how something as simple as an email address and password can be all they need to cause damage. This once again has emphasised the issue of end users not updating or using a variety of complex passwords for different accounts, thus making them vulnerable as we’ve seen with this latest breach.
“However, the onus also lies with the companies themselves, who have a responsibility to safeguard their customers’ data and information even if the end users are not. In a digital world where companies are interconnected, hackers will look to find their weak spots and points of entry which can be through a supplier or a partner that doesn’t see itself as an appealing target. Such companies are not only an attractive option to hackers – they are often an easy one.
“No matter how big or small, all companies must protect their data and that of their partners and suppliers. They need to comply with regulation and build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance. Companies need to have all the measures and contingency plans in place so that if a breach does occur, they are able to recover and instil customer confidence as soon as possible.”
John Madelin, CEO of RelianceACSN:
“There are some interesting features associated with the data breach suffered by the National Lottery website. First, it was a vulnerability suffered through interaction with third parties, a consistent weakness in today’s online partnerships. Another common feature is the gap between the hackers getting in, and capitalizing on their position. Usually the time between compromise and theft is wide enough to cause serious cash loss, in this case it appears they didn’t take money or target Camelot’s financials, yet.
“This also highlights the fact that there are many motives that drive hackers beyond direct financial gain and that a compromise is a first step to finding and stealing valuable assets of many kinds, including data such as emails and passwords which in the wrong hands are hugely valuable. In the National Lottery’s case it looks like the cyber criminals were after personal data which they would be able to sell on the black market at a later date, and first indications suggest that Camelot was able to step in before serious damage was done. To avoid situations such as this, organisations need to understand the hidden value of the data they hold and why criminals might find it valuable – one man’s trash could be a cybercriminal’s treasure.”
Andy Herrington, Head of Cyber Professional Services in UK & Ireland at Fujitsu:
“The statement by Camelot once again draws attention to the cyber challenge presented to today’s enterprise. While it appears that 26,500 National Lottery players’ accounts were accessed, it is interesting to note that Camelot’s response is very different from many incidents reported over the course of this year.
“It appears to be very much a pro-active statement which seeks to re-assure users by providing details of the incident in a very controlled way which is easy to understand. The fact that Camelot’s monitoring systems have played a clear role and that they have been able to investigate the incident, threat vector and impact quickly also demonstrates a level of maturity and control.
“While it is yet another incident it does clearly demonstrate that organisations which prepare themselves appropriately, including monitoring and forensic services underpinned by effective incident processes, are better prepared for what many consider ‘the inevitable’. This is the direction that many organisations will need to take in preparation for GDPR.”
Chris Hodson, EMEA CISO at Zscaler:
“Cybercriminals may have hit the holiday jackpot with over 26,500 registered National Lottery users. With no technical details included in the National Lottery’s statement about how the data was exfiltrated, just that it was, we can only speculate as to the tactics of these hackers. The act of stealing personal information from these accounts but leaving financial credentials untouched, also highlights that the motives of the criminals was not immediate financial fraud but highly sought personal identifiable information.
“The National Lottery have now outlined that no payment details or money were accessed, but that does not lessen the impact of the breach. Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale.
“With the General Data Protection Regulation looming for kick-off in 2018, we have to wonder how the National Lottery would have responded if such requirements were imposed on them today?
“To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises.”
Leon Pinkney, SOC Services Director at Redscan:
“With a persistent hacker capable of piercing the defences of any organisation, the importance of proactive threat detection to identify cyber-attacks early is once again highlighted. By identifying the breach in its infancy and openly communicating a plan to address it, Camelot appears intent on limiting damage by adopting both a proactive and transparent approach to incident response.
Given that that the source of the attack is thought to have been the result of a hacker using stolen credentials, the only way Camelot can know how many accounts have been compromised is because they have been logged into by the perpetrator.
The public can help play their part in limiting these type of attacks by practicing improved password hygiene. This includes a need to avoid using the same passwords to access multiple websites.”
Adenike Cosgrove, Cybersecurity Strategy, EMEA at Proofpoint:
“We recommend regularly changing your login credentials, using strong passwords that conform to best practices, and never re-using the same identifier across more than one account. Additionally, it is important that customers do not click on any link that they may receive in an email from Camelot, as criminals typically impersonate brands immediately after a breach, pretending to offer official advice to worried consumers.”
Mark James, Security Specialist at ESET:
“Another day and another “hack”; we see this word so often these days we need to be careful it does not lose its clout. With so much data being accumulated online from other data breaches it’s inevitable that these credentials will be used in other logins to see if we are silly enough to reuse our passwords.
What would appear to have happened here is exactly that, Camelot has stated “We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” this highlights the dangers of not using unique passwords for each login.
A forum may seem an unimportant website and poses no real threat and that may be the case until you use the same password on another website that is very important. Using password managers or 2 factor verification if available will help to reduce the damage of a data breach. Using a password manager will enable you to generate a complex unique password for each and every site you go to. Some managers will even allow you to score your current passwords looking for duplicates and weak passwords and help you change them, some are paid for and some are free, but when you consider the hassle of changing banking cards or the inconvenience of cancelling credit cards it’s a very small price to pay for your piece of mind.”
Javvad Malik, Security Advocate at AlienVault:
“Reports of breaches can begin to feel like groundhog day. The Camelot breach, is unfortunate, but the fact that the company had not only deployed, but was effectively using threat detection technologies. It meant the company was able to detect suspicious account activity relatively early – and could have prevented the incident from having a bigger impact.
Unlike an episode of Colombo, it is unlikely that details will be forthcoming soon, no matter how many “last questions” one asks. But given the fact that only a segment of the 9.5 million registered accounts were compromised, there is a likelihood that passwords from other system hacks could have been reused to access lottery user accounts.
At this moment, it could be easy to stop and place the blame squarely on users. They, after all are the ones that continually make poor password choices. Such choices include choosing weak, or easy-to-guess passwords, reusing passwords on multiple sites, or having easy-to-guess secret questions to reset a password.
But before bringing down the hammer of judgement, one has to look at the continual erosion of password effectiveness alone. The recent spate of password reuse in breaches, is bringing to reality the prediction that passwords alone may no longer be enough. The mantra of ‘passwords are dead’ have been chanted for many years now – but many businesses have been continuing with outdated practices.”
Rob Sobers, director at Varonis:
“From Camelot’s statement it appears that username and password details from an unrelated breach were used to compromise the National Lottery’s site. We’ve seen this type of attack time and again. While it may not have been Camelot’s own security flaw that precipitated the breach, they’re still not blameless. If attackers were able to gain access to 26,500 accounts, they likely attempted to access an order of magnitude more. Ideally this type of brute force attack would trip an alert before 26,500 accounts were compromised. In the age where publicised breach data data dumps give hackers access to billions upon billions of credentials to toy with, organisations need to bolster their authentication systems—offering two factor authentication is a fantastic start!”
Ryan Wilk, VP of customer success at NuData Security:
“The key takeaway for all consumers from this breach is that password security is important, and especially, do not use the same password everywhere! It’s lucky that only a very few accounts were affected and there was no money lost, however, it illustrates that all pieces of information are valuable to hackers who in these cases typically investigate accounts for future fraud once they obtain access.
“It’s an unfortunate fact of life these days that breaches continue seemingly unabated. Our personal records are being shared on the dark web – sometimes years after the breach occurs. Data breaches continue to build upon each other, with each breach adding additional intelligence to achieving the goal of complete profiles of identities for a large segment of our population up for sale on the dark web. Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover that is on the painful and dramatic rise. There are behaviorally-based methods that online merchants, banks, and providers, are going to need to deploy that will help keep consumer accounts safe, even if valid credentials are presented. These solutions give true insight into who sits behind the device – and provide a high-level of trust that it is the consumer, and not a fraudster using our identity information online. You can, and should, start expecting organizations you interact with to use these multi-layered and behavioral-based solutions to protect your online accounts.”