The National Lottery of Luxembourg experienced a data breach targeting its sports betting provider, loteriesport.lu. Unauthorized actors gained access to the IT systems, compromising player data, including names, addresses, and bank details of online sports betting customers. While the breach did not expose credit card information or passwords, it affected a significant subset of user records tied to the platform. The incident was isolated to the sports betting site, with no impact on broader online gaming operations. The National Lottery reported the breach to the National Data Protection Commission and stated that urgent corrective measures are underway in collaboration with the affected subcontractor to mitigate risks and enhance protections. As the sole authorized sports betting operator in Luxembourg, the breach raises concerns over customer trust, financial fraud risks, and potential regulatory scrutiny, though no immediate financial losses or systemic disruptions were reported.
TPRM report: https://www.rankiteo.com/company/loterie-nationale-luxembourg
"id": "lot5732757090825",
"linkid": "loterie-nationale-luxembourg",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Gambling / Lottery',
'location': 'Luxembourg',
'name': 'National Lottery of Luxembourg',
'type': 'Government-operated lottery and sports '
'betting operator'},
{'customers_affected': 'Online sports betting customers '
'(exact number unspecified)',
'industry': 'Gambling / Sports Betting',
'name': 'Unnamed sports betting provider '
'(subcontractor of National Lottery of '
'Luxembourg)',
'type': 'Third-party service provider'}],
'customer_advisories': 'Customers advised of unauthorized access to their '
'data (names, addresses, bank details) and assured '
'that credit card information and passwords were not '
'compromised',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['personal identifiable '
'information (PII)',
'financial data (bank details)']},
'description': 'The cybersecurity incident affected the IT systems of the '
'National Lottery’s sports betting provider, resulting in '
'unauthorized access to player data, including names, '
'addresses, and bank details of the lottery’s online sports '
'betting customers. The breach was limited to the '
'loteriesport.lu sports betting site, with online gaming '
'operations unaffected. Credit card information and passwords '
'were not compromised.',
'impact': {'brand_reputation_impact': 'Potential negative impact due to '
'exposure of sensitive customer data',
'data_compromised': ['names', 'addresses', 'bank details'],
'identity_theft_risk': 'High (due to exposure of names, addresses, '
'and bank details)',
'payment_information_risk': 'Moderate (bank details exposed, but '
'no credit card information or '
'passwords compromised)',
'systems_affected': ['loteriesport.lu sports betting site']},
'investigation_status': 'Ongoing (corrective measures being implemented)',
'post_incident_analysis': {'corrective_actions': 'Collaboration with the '
'affected subcontractor to '
'implement protection, '
'remediation, and mitigation '
'measures'},
'references': [{'source': 'National Lottery of Luxembourg public statement'}],
'regulatory_compliance': {'regulatory_notifications': ['National Data '
'Protection Commission '
'(Luxembourg)']},
'response': {'communication_strategy': 'Public statement issued to notify '
'affected players; notification to the '
'National Data Protection Commission',
'incident_response_plan_activated': True,
'remediation_measures': 'Urgent corrective measures implemented '
'in collaboration with the affected '
'subcontractor',
'third_party_assistance': True},
'stakeholder_advisories': 'Players notified of the breach',
'title': "Data Breach at National Lottery of Luxembourg's Sports Betting "
'Provider',
'type': 'Data Breach'}