A Londoner who hacked the UK National Lottery website to steal sensitive customer information has been sentenced to nine months in prison.
Prosecutors said Anwar Batson used “credential stuffing” to launch the attack in late 2016. This involves using lists of usernames and passwords stolen in previous data breaches to gain unauthorized access to user accounts through large-scale automated login requests.
Because many people have the same username and password for multiple web accounts, credential stuffing will yield positive results for a hacker when attempted across a large volume of accounts.
A study by cyber security firm SecureAuth found that 81 percent of internet users have reused a password across two or more sites and 25 percent use the same password across most of their accounts.
The UK National Lottery database contains details of around 9 million accounts.
Wages of Sin
The court heard that despite successfully breaching the lottery’s system, Batson was no criminal mastermind.
He gave the username and password of one lottery customer to an accomplice, Idris Akinwunmi, who emptied the account for a grand total of £13 ($16.90). Batson’s cut of the spoils was £5 ($6.50).
Nevertheless, the breach was serious enough for lottery provider Camelot to issue a statement warning its players that 26,500 accounts may have been accessed.
The operator said responding to the attack cost it £230,000, and that 250 players had closed their accounts because of the negative publicity.
The company was investigated by the UK’s data protection watchdog to ascertain whether it had breached the Data Protection Act.
In 2018, Camelot was fined £1.15 million for a variety of failings that included “inadequate security measures.”
DIY Hacking Tool
The court heard that Batson had downloaded the readily available Sentry MBA automated cyberattack tool to assist with his credential-stuffing plan before joining a WhatsApp group devoted to hacking under the alias “Rosegold.”
Judge Jeffrey Pegden said Batson had targeted “a large honorable organization.”
“Your offending took place over a relatively short period in the second half of 2016,” said Pegden. “In my view, the gravity of your offending does not lie in the gravity of the loss occasioned by the hacking and the fraud that indeed was low.”
Batson was arrested by the National Crime Agency (NCA) in May 2017. He initially denied his involvement, claiming his own devices had been hacked and his identity stolen.
But officers quickly uncovered the WhatsApp group in which Batson was seen to be discussing the buying and selling of usernames and passwords, suggesting he was not planning to call it quits at £5.