UK National Lottery's Operator Denies SQL Injection

The privacy of the players has not been put at risk

By on 26 Feb 2009, 08:39 GMT
Following the disclosure of an alleged SQL injection vulnerability on the website of the National Lottery in UK, Camelot Group plc, the company responsible with operating it, claims that no sensitive information regarding its registered users has been compromised.

We have previously reported that a group of white-hat hackers have documented what they claimed to be an SQL injection attack against national-lottery.co.uk. Two screenshots revealing a listing of the database tables and partial login credentials for an administrative account have been published.

However, because the first part of the URL was blotted in the screenshots, allegedly to prevent ill-intentioned replication of the attack, it opened door to speculation whether this concerned the main www.national-lottery.co.uk website or another subdomain with an unspecified purpose.

Because we have outlined the possible risks to the privacy of lottery players, if indeed the main database has been compromised, we have been contacted by the Media Relations Manager of Camelot Group, Mr. Rob Dwight, who has made it clear that "The National Lottery website is a safe and secure way for players to enjoy playing National Lottery Games, and has been since the launch of our interactive services in 2003."

"Camelot can confirm that the main player site at http://www.national-lottery.co.uk has not been compromised, as outlined on softpedia.com. As a result, there is no risk to company or player information," the company representative notes.

Mr. Dwight has not specified if an SQL injection vulnerability affected a different page hosted  on a national-lottery.co.uk subdomain, but he has pointed out that "We do our utmost to continually ensure that our interactive systems are as secure as possible, and regularly review the extensive measures in place to safeguard our players." He has also stressed that "We have implemented industry standard technical solutions to protect our systems and to ensure that player information is kept secure at all times."

Camelot Group plc is licensed by UK's National Lottery Commission to operate the lottery games. The company has been managing the National Lottery project since its launch in 1994, and has just begun its third consecutive 8-year license period at the end of January 2009. According to its own description, "Camelot manages the National Lottery infrastructure, designs new games, develops the marketing support for lottery products, provides services for players and winners, and runs the network that sells tickets to players in partnership with 26,000 retailers UK-wide."

Comments

UK National Lottery players not put at risk by SQL injection
   UK National Lottery players not put at risk by SQL injection