Updated on 03 December 2016
Following our statement of 30 November 2016 regarding suspicious activity on a very small proportion of online National Lottery Accounts, we are continuing to work closely with the National Crime Agency and the National Cyber Security Centre on this criminal matter.
Of our 9.5 million registered online players, around 26,500 players’ accounts were accessed. A much smaller number – just 43 – have had some activity take place within the account since it was accessed. On further investigation, including direct contact with some of the affected players, we are confident that the vast majority of this activity was legitimately carried out by the players themselves. With those players who we believe may not have carried out the activity, our investigations continue on a case-by-case basis to understand exactly what has happened and to help them to re-activate their accounts securely.
Although the investigation is ongoing, we remain completely satisfied that there has been no unauthorised access to core National Lottery systems or any of our databases, which means that there has been no impact on National Lottery draws or on the payment of prizes. In addition, we continue to believe that email addresses and passwords may have been stolen from another website where affected players use the same details – however, we are unable to confirm at this stage whether this involves just one site, or whether the details came from multiple sites that have been compromised in past cyber-attacks.
We have contacted all 26,500 affected players to apologise for what happened, outline what further steps they can take to protect themselves and to explain that they will not be able to get into their online National Lottery accounts until they have changed their password. We have also put prominent messaging on the National Lottery website advising all players to change their passwords and improve password strength as a precaution.
Cyber criminals such as this are persistent, and we are continuing to monitor and protect our systems. However, we’d like to reassure our customers that protecting their personal data is of the utmost importance to us. We are very sorry for any inconvenience this may cause to our players and would like to encourage those with any concerns to contact us directly, so we can discuss it with them in more detail.