The BBC reported this morning (here) that Camelot, the operator of the UK’s National Lottery, had suffered a data breach.
Some 26,500 of the National Lottery’s 9.5 million online customers had had their account – comprising transaction history, date of birth, bank sort code, and the last four digits of their bank account number, compromised.
Of those 26,500 – 50 of them “had some activity take place.
It’s to Camelot’s credit that they locked down their systems on Monday after noticing suspicious activity, even though they don’t “hold full debit card or bank account details in National Lottery players’ online accounts“.
Customers whose accounts may have been compromised have been forced to change their passwords.
It has been suggested that these accounts were accessed using passwords sourced elsewhere and re-used; once again highlighting the dangers of using the same password on multiple sites.
It is also another potential ‘padding’ attack, with hackers building a database of customer details that they might use to create fake identities.
While data breaches continue to be revealed with a scary frequency, the number of data breaches involving financial information are becoming scarce. That’s a good sign in that Merchants are taking the security of payment card data seriously, the hackers are now turning their attention to ‘softer’ targets, and sourcing personal rather than financial data.
Once again, we stress the need to be careful with online passwords and not re-use them across different online accounts.
There are a number secure password ‘vault’ applications that store complex passwords; these might be worth considering if you have a large number of online accounts.
It’s also worth remembering that, as we recently reported here – regarding the recent Tesco Bank data breach – when GDPR comes into force in the UK in May 2018, the fines for the insecure storage of personal data could be “up to 4 % of the total worldwide annual turnover of the preceding financial year”.
Last year’s annual accounts from Camelot showed that gross ticket sales totalled £7.2 billion, 4% of that would be a cool £288 million.
In the meantime Camelot are subject to the UK Data Protection Act, and the Information Commissioners Office (ICO) have the power to levy fines of up to £500k.
The ICO released this comment regarding the Camelot data breach:
“We are aware of this incident and we have launched an investigation. Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today.
“The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyber attacks. Where we find this has not happened, we can take action. Organisations should be reminded that cyber security is a matter for the boardroom, not just the IT department.”
Is your company, and more importantly the boardroom, ready for GDPR?
We can help, get in touch.