Following the news about 26,500 National Lottery accounts are feared to have been hacked, according to its operator Camelot. The firm said it did not believe its own systems had been compromised, but rather that the players’ login details had been stolen from elsewhere. IT security experts from ESET, AlienVault, Alert Logic, Positive Technologies, GBG, Tenable Network Security, Avast, Zscaler and NSFOCUS commented below.
Mark James, Security Specialist at ESET:
“Another day and another “hack”; we see this word so often these days we need to be careful it does not lose its clout. With so much data being accumulated online from other data breaches it’s inevitable that these credentials will be used in other logins to see if we are silly enough to reuse our passwords.
What would appear to have happened here is exactly that, Camelot has stated “We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” this highlights the dangers of not using unique passwords for each login.
A forum may seem an unimportant website and poses no real threat and that may be the case until you use the same password on another website that is very important. Using password managers or 2 factor verification if available will help to reduce the damage of a data breach. Using a password manager will enable you to generate a complex unique password for each and every site you go to. Some managers will even allow you to score your current passwords looking for duplicates and weak passwords and help you change them, some are paid for and some are free, but when you consider the hassle of changing banking cards or the inconvenience of cancelling credit cards it’s a very small price to pay for your piece of mind.”
Javvad Malik, Security Advocate at AlienVault:
“Reports of breaches can begin to feel like groundhog day. The Camelot breach, is unfortunate, but the fact that the company had not only deployed, but was effectively using threat detection technologies. It meant the company was able to detect suspicious account activity relatively early – and could have prevented the incident from having a bigger impact.
Unlike an episode of Colombo, it is unlikely that details will be forthcoming soon, no matter how many “last questions” one asks. But given the fact that only a segment of the 9.5 million registered accounts were compromised, there is a likelihood that passwords from other system hacks could have been reused to access lottery user accounts.
At this moment, it could be easy to stop and place the blame squarely on users. They, after all are the ones that continually make poor password choices. Such choices include choosing weak, or easy-to-guess passwords, reusing passwords on multiple sites, or having easy-to-guess secret questions to reset a password.
But before bringing down the hammer of judgement, one has to look at the continual erosion of password effectiveness alone. The recent spate of password reuse in breaches, is bringing to reality the prediction that passwords alone may no longer be enough. The mantra of ‘passwords are dead’ have been chanted for many years now – but many businesses have been continuing with outdated practices.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“The National Lottery breach highlights the challenge all organisations face today – and reiterates the fact that consumers have a significant role to play in protecting their online accounts. Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through continuous monitoring, 24×7, and being able to distinguish normal from abnormal, organisations can identify and act against sophisticated attackers. Front the statement given by Camelot their monitoring uncovered the breach but the breach likely occurred due to poor password management from their customers.
Consumers will be forced to change the password on their National Lottery account, and any other accounts that use the same password. However they need to ensure that they don’t use the same password for other accounts, You should keep track of all the user accounts and passwords you maintain on the Internet.
A passphrase is also highly recommended, instead of a password. You can take a common phrase and create a pattern that means something to you, then add minor edits as a way to keep passphrases different. An example is: The sun rise is great today. A simple passphrase could be: Tsr!Gr82day. The passphrase is 11 characters long and contains number, upper/lower case letters and a symbol. The exclamation mark (!) substitutes for the “i” in the word is. You can add something specific to make the passphrase different on multiple accounts.
This really demonstrates that no brand is safe and whilst organisations need stringent security policies and technologies, consumers play a role in the security of their accounts.”
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“Big consumer brands which hold vast amounts of personal details are pay-dirt for cybercriminals. They often hold massive databases of information which can be used for follow-up attacks on other services. The people contacted should make sure they keep a close eye on their online accounts for phishing and other suspicious activity. If anything looks awry, then it is probably best to treat it with caution. Now is probably a good time for the affected people to change their passwords across the board.”
Nick Brown, Group Managing Director at Identity Data Intelligence Company GBG:
“Whilst National Lottery has told users that financial information was not leaked, this data breach is by no means of less significant concern. Card details can be replaced but the other – more personal – information, such as your name, your job and where you live can easily be pieced together by criminals, who browse, haggle and sell personal details on the dark web, and use it for identity theft.
It’s sadly got to a point that you have to assume your identity, at some point, will be compromised. In the first instance, identity thieves will use the real identity of an individual and thereafter, create synthetic identities compiled from elements of the data stolen from a user. Organisations, therefore, need to learn from these hacks – especially as they become more common – and use more data, analytical insights and triangulation of multiple identity proofing techniques to minimise the effects of identity theft for both the user and the businesses serving them. In short, the more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks.”
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“Rather than the usual breach being caused by an insecure web application, blurting out confidential information with a carefully crafted request, Camelot are claiming the breach of 26,500 user accounts are due to the credentials being swiped from another website not related to The National Lottery and used to login.
“With so many systems being breached, reusing the same password on multiple sites is a major risk. If your password is exposed on one breach, this can be leveraged against many other systems to cause further losses and exposure of personal details. Users should protect themselves against simple attacks like this by having individual passwords for any site that holds personal details. Password management is a pain, but with so much of our personal details being stored online and entrusted by more organisations than ever before, it is necessary to protect yourself from fraudulent activity by practicing good password use.”
Pete Turner, Consumer Security Expert at Avast:
“Consumers’ can no longer trust companies to keep their data safe, and the regular news stories hitting the headlines of data breaches is example of this. It’s important for people to take control of their data and to understand its value. My tips for staying safe online are:
- Secure any online accounts, such as banking or social media, and not just your National Lottery account by ensuring they aren’t sharing the same email and password combination. If you are re-using login details across multiple accounts, change them and use two-step authentication if possible, such as a password and a back-up phone number or other account.
- Be alert to suspicious activity on your accounts such as receiving any potentially fake emails. If your data is at risk for having been compromised, you should validate these as genuine by contacting the company that sent them directly or visiting their website before taking any of the action suggested by the email.
- Finally, as you would expect, I always recommend having a good internet security product on your PC or mobile devices. Whether you use a laptop or a tablet to access your online accounts, you should always ensure you are as protected as possible against any hacks, phishing tricks or spam emails because as we have seen, we can’t rely on other people to keep us safe online.”
Chris Hodson, EMEA CISO at Zscaler:
“Cybercriminals may have hit the holiday jackpot with over 26,500 registered National Lottery users. With no technical details included in the National Lottery’s statement about how the data was exfiltrated, just that it was, we can only speculate as to the tactics of these hackers. The act of stealing personal information from these accounts but leaving financial credentials untouched, also highlights that the motives of the criminals was not immediate financial fraud but highly sought personal identifiable information.
“The National Lottery have now outlined that no payment details or money were accessed, but that does not lessen the impact of the breach. Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale.
“With the General Data Protection Regulation looming for kick-off in 2018, we have to wonder how the National Lottery would have responded if such requirements were imposed on them today?
“To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises.”
Alex Cruz-Farmer, VP at NSFOCUS:
“This is a great example of where hackers are getting smarter, and are systematically testing username and passwords across a full spectrum of victim websites. With these persistent and systematic attacks, it is showing how vulnerable we, as users, are without the right security mechanisms in place. This is also a great reminder to everyone to stay vigilant, and to try and avoid using the same passwords across multiple platforms and websites”.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.