A technical error in People's Postcode Lottery (PPL) exposed customer data to unauthorized users when logging into the platform on **October 27**. The breach displayed other players' **names, addresses, email addresses, and dates of birth** upon refreshing the homepage. The issue was resolved within **17 minutes**, with full service restoration by **October 29**. While no external attack was detected, the glitch affected **0.1% of its 4.9 million subscribers** (~4,900 users). PPL notified impacted customers, offered **free Experian credit monitoring for a year**, and reported the incident to the **UK Information Commissioner’s Office (ICO)**. The company emphasized its commitment to preventing future occurrences and reiterated its responsibility to players. PPL operates a subscription-based lottery where **30% of ticket revenue** funds charities, having raised over **£1.5 billion** since 2005.
Source: https://www.theregister.com/2025/10/30/peoples_postcode_lottery_breach/
TPRM report: https://www.rankiteo.com/company/peoples-postcode-lottery
"id": "peo4732247103025",
"linkid": "peoples-postcode-lottery",
"type": "Breach",
"date": "6/2005",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '~0.1% of 4.9 million (~4,900 '
'customers)',
'industry': 'Gambling/Lottery',
'location': 'United Kingdom',
'name': "People's Postcode Lottery (PPL)",
'size': '4.9 million subscribers (2022)',
'type': 'Private Company (Lottery Operator)'}],
'customer_advisories': 'Emails sent to affected users with details of the '
'incident and offer of free credit monitoring.',
'data_breach': {'number_of_records_exposed': '~4,900',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII including names, addresses, '
'emails, DOBs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2023-10-27',
'date_publicly_disclosed': '2023-10-27',
'date_resolved': '2023-10-29T09:00:00Z',
'description': "A technical error in People's Postcode Lottery (PPL) caused "
'customer data to be exposed to other users upon logging in. '
'The exposed data included names, addresses, email addresses, '
'and dates of birth. The issue was resolved within 17 minutes '
'of discovery, with services fully restored by October 29, '
"2023. Approximately 0.1% of PPL's 4.9 million subscribers "
'were affected. The company reported the incident to the '
"Information Commissioner's Office (ICO) and offered affected "
'customers a year of free Experian credit monitoring.',
'impact': {'brand_reputation_impact': 'Moderate (public apology issued; '
'proactive communication with affected '
'users)',
'customer_complaints': 'Likely (forum posts reported the issue)',
'data_compromised': ['names',
'addresses',
'email addresses',
'dates of birth'],
'downtime': '17 minutes (initial outage) + ~48 hours (full service '
'restoration)',
'identity_theft_risk': 'Moderate (PII exposed; credit monitoring '
'offered)',
'legal_liabilities': 'Potential (reported to ICO; no fines '
'mentioned yet)',
'operational_impact': 'Temporary suspension of online services; '
'customer notifications and credit '
'monitoring enrollment',
'systems_affected': ['Customer portal/web application']},
'investigation_status': 'Completed (root cause identified as technical error; '
'no external attack)',
'lessons_learned': 'Importance of rigorous testing for session/caching '
'mechanisms in customer-facing applications; need for '
'rapid incident response to minimize exposure duration.',
'post_incident_analysis': {'corrective_actions': ['Bug fix deployed to '
'resolve the data exposure '
'issue.',
'Enhanced monitoring and '
'testing protocols '
'implemented (implied by '
'statement on preventing '
'future incidents).'],
'root_causes': 'Technical error in the system '
'logic that retrieved and displayed '
'customer data, likely tied to '
'session or caching mechanisms.'},
'recommendations': ['Conduct a thorough security audit of the customer '
'portal, particularly session management and data '
'retrieval logic.',
'Implement multi-layered access controls to prevent '
'unauthorized data exposure.',
'Enhance logging and monitoring to detect anomalous data '
'access patterns in real-time.',
'Regularly review and test incident response plans to '
'ensure swift containment.'],
'references': [{'source': 'The Register'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (UK GDPR) '
'violation'],
'regulatory_notifications': ['Reported to '
'Information '
"Commissioner's Office "
'(ICO)']},
'response': {'communication_strategy': ['Email notifications to affected '
'customers',
'Public statement',
'Apology issued',
'Offer of 1 year free Experian credit '
'monitoring'],
'containment_measures': ['Service taken offline within 17 '
'minutes of discovery'],
'incident_response_plan_activated': True,
'recovery_measures': ['Full service restoration by 2023-10-29 '
'09:00 UTC'],
'remediation_measures': ['Bug fix deployed',
'System restoration'],
'third_party_assistance': ['Experian (credit monitoring)']},
'stakeholder_advisories': 'Public statement and email notifications to '
'affected customers.',
'title': "People's Postcode Lottery Customer Data Exposure Due to Technical "
'Error',
'type': 'Data Exposure (Unintentional Disclosure)',
'vulnerability_exploited': 'Technical error in user data retrieval/logic '
'(likely session or caching misconfiguration)'}