UK National Lottery Community Fund Suffered a Catastrophic Data Breach

• The UK National Lottery Community Fund has suffered a data breach that exposed data of grant holders and applicants.
• The compromised details include names, email addresses, phone numbers, and limited bank account data.
• There are no clarifications around what exactly has happened, but the ICO has been informed about the event.

The UK National Lottery Community Fund is sending notices of a data breach to affected individuals like grant holders and applicants. The organization operates a fund distribution program titled “Building Better Opportunities,” which aims to provide financial support to various good causes. In the past couple of years, it has awarded £588 million ($807 million) to 8,189 community projects. Unfortunately, the security breach has compromised all details relevant to this program, with the exposed data ranging between September 2013 and December 2019.

We've given out a share of almost £200 million in #NationalLottery funding to over 4,500 community groups since January.

Thanks to #NationalLottery players, communities across England are getting support to overcome the challenges raised by #COVID19. 👇https://t.co/B78neWGOcI pic.twitter.com/XPMXA1qtXX

— The National Lottery Community Fund (@TNLComFund) July 13, 2021

The details included in the accessed (and possibly exfiltrated) data set include the following:

• Full names
• Physical addresses
• Email addresses
• Landline phone numbers
• Mobile phone numbers
• Dates of birth
• Bank account details (name of bank account sort code, and account number)
• Applicant organizations’ addresses and websites

What hasn’t been exposed is bank account PINs, passwords, and card details, since these aren’t collected and/or stored by the UK National Lottery Community Fund. This isn’t enough to alleviate the problems that arise from the exposed details, though, as several entries are data that cannot be reset or changed.

The organization is still investigating the incident, and they will update the affected individuals as well as the public about any new findings. Also, the UK Information Commissioner’s Office (ICO) has been notified as dictated by law. The National Lottery Community Fund expressed its apology for the inconvenience and underlined that this was the first time they had to deal with such an unfortunate event in their long history.

People who think they may have been affected by this incident are urged to change their online account passwords, be vigilant against incoming email or phone calls or SMS communications, and keep a close eye on the activity of their bank accounts. If anything suspicious pops up, you should notify the authorities immediately.

For now, no details about what exactly has happened have been made public, so it is unknown if this is a ransomware incident, a network breach, or something else. A spokesperson from the organization has stated that at the moment, the priority is to help the customers understand whether or not they have been affected, and for those who have, help them protect against the threats.