National lottery suffers cybersecurity incident

Luxembourg’s national lottery revealed on Friday that the IT systems of one of its subcontractors have fallen victim to a security incident.

The subcontractor in question is responsible for the operation and maintenance of sports betting platform loteriesport.lu.

The lottery company, La Société Nationale de Loterie, which is publicly owned, confirmed in a press release that the incident may have allowed unauthorised access to players’ personal data, “despite the security and protection measures in place to ensure the confidentiality and integrity of this data”.

The company has already informed all players who are potentially affected, as is required under the EU’s GDPR data protection law. It has also informed the National Commission for Data Protection.

“We wish to reassure National Lottery customers that no information concerning passwords or payment cards is affected by the incident,” the press release said, adding: “Furthermore, these circumstances do not affect our lottery gaming platform loterie.lu or the personal data stored there.”

Only customers using the Loterie’s sport platform are potentially affected by the breach that includes people’s names and usernames, their addresses and phone numbers, bank information and their transaction history on the site.

The company says it has depolyed “urgent corrective measures” and is working with its subcontractor to bolster protection and prevention measures.

The Loterie’s sport platform remains operational and accessible to players and the incident had no effect on players’ online wallets or bets currently placed. No money is believed to have been stolen and the company did not speculate in its press release how the breach happened.