Important data security update

What happened?

THE LOCAL LOTTO is run on behalf of NORTH YORKSHIRE COUNCIL by Gatherwell Limited (Gatherwell), who are a large, experienced and regulated lottery manager.

On Friday 1 December, Gatherwell were informed that a data breach had taken place. This impacted customers who had signed up for direct debit services on or before 8 November 2023. We now know that this breach was caused by a cyber attack against a third party organisation, London & Zurich (L&Z), which was appointed by Gatherwell to handle direct debit collections. Gatherwell’s lottery system was not impacted by the cyber attack.

If you do not pay for your lottery entries by direct debit, this data breach does not impact you.

What kind of data is affected?

The types of data impacted are full name, email address, billing address, phone number and bank account details (account number and sort code). No government-issued ID data (e.g. passport number, national insurance number) or payment card data was compromised as a result of the incident.

Is my data at risk?

Gatherwell has received assurances from L&Z that the affected data has been recovered, and steps have been taken to protect your data and prevent similar situations in the future.

There is no evidence that your data has been published, passed on to any third parties or misused in any way, however we recommend that you be extra vigilant about sharing your information with anyone, whether that be over the phone, by email or otherwise. We will only email you about THE LOCAL LOTTO via our dedicated support email address [email protected]

Both NORTH YORKSHIRE COUNCIL and Gatherwell have reported the incident to the Information Commissioner’s Office (ICO), who may carry out their own investigation. We have also reported the incident to the Gambling Commission as a precautionary measure.

I don’t play the lottery anymore. Why am I being told about this?

Direct debit payments are covered by the Direct Debit Guarantee, which protects you in case that a mistake is made when a payment is collected, for example if the wrong amount of money is taken from your bank account. This means that L&Z continues to hold your data after you have cancelled your direct debit so that it can handle refund claims under the Direct Debit Guarantee.

After you cancel your direct debit, L&Z are still required to hold your data for compliance reasons.

Do I need to change my password?

This incident is limited to L&Z’s direct debit processing system. Gatherwell’s lottery system was not impacted. As such, you do not need to change your password on the THE LOCAL LOTTO website.

How will you keep my data safe in the future?

L&Z’s servers which host their direct debit system have been rebuilt in a new environment, which has been thoroughly tested for vulnerabilities by an external cyber security expert.

Whilst it is never possible to completely eliminate the risk of a cyber attack, L&Z has robust technical and security measures in place to guard against similar attacks in the future.

We take the safety of your information very seriously, and we sincerely apologise for any concern or inconvenience this incident may cause you.