National Lottery Data Breach – some thoughts from Leighton Hughes

• by Ellie Hurst
• Advent IM Blog

A post from Leighton Hughes

I read a few days ago about the latest information security breach, that seems to be an ever-common appearance in today’s news, but this time it’s not Police related, who do seem to be the front runners of having these types of Data breaches, but this occasion it’s the National Lottery.

However, there is a familiar feel to this one, more so because it is incredibly similar to what happened to Humberside Police in 2018; who failed to encrypt extremely sensitive disks relating to a serious crime they were investigating and were fined a large amount of money; when you look at it, and how Police forces continuously talk about their budgets being cut, but because of their failings to appropriately look after sensitive information in their care they were fined £130,000, which is not pocket change, well not for me anyway.

When I look at the National Lottery Community Fund’s breach, it has me thinking about where did they go wrong for them to allow this to happen with more than six years’ worth of information relating to their customers that includes names, addresses, email addresses, phone numbers, bank account numbers and date of births going missing, presumed lost, but also possibly stolen. My thoughts are along this line, but not exhaustive to what I have noted below:

• Have they genuinely lost it in the office?
• Disgruntled employee, knowing the failings on the unencrypted disks, “lost” it on purpose, knowing the ramifications it will cause the organisation and the person responsible for the information?
• Insider Threat / Disgruntled Employee sold the unencrypted disks to another, such as Organised Crime or another third party for their own financial gain?
• Failed Policies and Procedures in ensuring that all data, relating to personal information and sensitive data is encrypted when transferred to removable media?
• And due to lack of audit trail created in the creation of these disks, been lost in the post, which is similar to that occurred in 2007 with HMRC in Washington, Tyne and Wear, by sending sensitive information in the post via insecure means by a junior member of staff who didn’t know the correct way of doing things?
• Will there be much of reputational damage to the National Lottery?

This is certainly an incident I will be keeping an eye on in the coming months for the ICO’s findings from their investigation, and finding out where it went wrong for the National Lottery, but also how much they will be fined, because looking at what this arm of the National Lottery does, the fine they will receive, which I believe will be a large amount, could have been used better elsewhere. It will be their charities that will suffer, such as the potential loss of funding. But also, and in my opinion, more seriously, their thousands of their customers whose data has been lost and are now potentially vulnerable to fraud being committed under their name.