About 26,500 National Lottery accounts may have been hacked, and 50 of those have since seen suspicious activity, operator Camelot has announced.
The firm said its own systems and databases had not been accessed, but believes passwords and emails used to log in to the National Lottery site may have been stolen from another website where customers had been using the same login details.
Camelot first spotted the issue on Monday (28 November), and says no money has been deposited in or withdrawn from affected accounts – but it admits players' personal information may have been accessed.
All affected accounts have been suspended and Camelot is now "proactively contacting" those account holders to prompt them to reset their passwords. MoneySavingExpert.com has asked Camelot for more detail on how those customers will be contacted.
However, the operator is advising all 9.5 million National Lottery customers with online accounts to change their passwords and improve their passwords' strength "as a precaution".
The Information Commissioner's Office (ICO) has confirmed it's now investigating the possible breach.
An ICO spokesperson says: "We are aware of this incident and we have launched an investigation. Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today.
"The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyber-attacks. Where we find this has not happened, we can take action."
What personal details could hackers have seen?
Camelot says it DOESN'T hold full bank account or card details online, and says no money has been taken from affected players. But the following information can be seen when you log in to a National Lottery account:
- Name and title
- Email address
- Home phone and mobile numbers
- Date of birth
- The last four digits of your registered card number (if you have one) and its expiry date
For customers with direct debits set up, the following information will also be visible:
- The last four digits of your bank account number
- Your sort code
I've got a National Lottery account – what should I do?
The main message is to change your password straightaway.
As explained above, the site doesn't store full bank account or debit card information, and we've not heard any reports of customers' bank accounts or cards being defrauded as a result of this possible hack.
However, if you spot any fraudulent activity on your bank account, you should always contact your bank as soon as possible.
How can I create strong passwords?
Creating strong and memorable passwords is a challenge, but MSE Nick has some top tips to help you do it:
- Establish a number of key words. Pick words that mean something to you but aren't obvious or guessable – start with one or two until those are cemented in your head.
- Establish a few key numbers. Avoid obvious dates such as your birthday.
- Create passwords using a combination of both. Use the words or numbers forwards or backwards, capitalised or not capitalised.
- Note the password down IN CODE somewhere safe and convenient. Never write the full words or numbers down; use codewords or an alphabet grid to 'encrypt' them.
For more help on password security, read Nick's full guide.
What does Camelot say?
In a statement the company said: "We'd like to reassure our customers that protecting their personal data is of the utmost importance to us. We are very sorry for any inconvenience this may cause to our players and would like to encourage those with any concerns to contact us directly, so we can discuss it with them in more detail."
Online players concerned about their account security can call Camelot on 0844 338 5461.