National Lottery data breach

Following this morning’s news of the National Lottery data breach, please find below comments from Alert Logic and Positive Technologies.

Oliver Pinson-Roxburgh, EMEA director at Alert Logic:

“The National Lottery breach highlights the challenge all organisations face today – and reiterates the fact that consumers have a significant role to play in protecting their online accounts.  Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through continuous monitoring, 24×7, and being able to distinguish normal from abnormal, organisations can identify and act against sophisticated attackers. Front the statement given by Camelot their monitoring uncovered the breach but the breach likely occurred due to poor password management from their customers. 

Consumers will be forced to change the password on their National Lottery account, and any other accounts that use the same password.  However they need to ensure that they don’t use the same password for other accounts, You should keep track of all the user accounts and passwords you maintain on the Internet.

A passphrase is also highly recommended, instead of a password.  You can take a common phrase and create a pattern that means something to you, then add minor edits as a way to keep passphrases different.  An example is: The sun rise is great today.  A simple passphrase could be: Tsr!Gr82day.  The passphrase is 11 characters long and contains number, upper/lower case letters and a symbol.  The exclamation mark (!) substitutes for the “i” in the word is.  You can add something specific to make the passphrase different on multiple accounts. 

This really demonstrates that no brand is safe and whilst organisations need stringent security policies and technologies, consumers play a role in the security of their accounts.”

Alex Mathews, EMEA technical manager, Positive Technologies:

“Big consumer brands which hold vast amounts of personal details are pay-dirt for cybercriminals. They often hold massive databases of  information which can be used for follow-up attacks on other services.  The people contacted should make sure they keep a close eye on their online accounts for phishing and other suspicious activity.  If anything looks awry, then it is probably best to treat it with caution.  Now is probably a good time for the affected people to change their passwords across the board.”