Important data security update

What happened? 

Lincoln Community Lottery is run on behalf of City of Lincoln Council by Gatherwell Limited (Gatherwell), who are a large, experienced and regulated lottery manager. 

On Friday 1 December, Gatherwell were informed that a data breach had taken place. This impacted customers who had signed up for direct debit services on or before 8 November 2023. We now know that this breach was caused by a cyber-attack against a third party organisation, London & Zurich (L&Z), which was appointed by Gatherwell to handle direct debit collections. Gatherwell’s lottery system was not impacted by the cyber-attack. 

What kind of data is affected? 

The types of data impacted are full name, email address, billing address, phone number and bank account details (account number and sort code). No government-issued ID data (e.g. passport number, national insurance number) or payment card data was compromised as a result of the incident. 

Is my data at risk? 

Gatherwell has received assurances from L&Z that the affected data has been recovered, and steps have been taken to protect your data and prevent similar situations in the future. There is no evidence that your data has been published, passed on to any third parties or misused in any way, however we recommend that you be extra vigilant with regard to financial transactions including sharing your information with anyone, whether that be over the phone, by email or otherwise. 

We will only email you about Lincoln Community Lottery via our dedicated support email address [email protected]. Both City of Lincoln Council and Gatherwell have reported the incident to the Information Commissioner’s Office (ICO), who may carry out their own investigation. We have also reported the incident to the Gambling Commission as a precautionary measure.

I don’t play the lottery anymore. Why am I being told about this?

Direct debit payments are covered by the Direct Debit Guarantee, which protects you in case that a mistake is made when a payment is collected, for example if the wrong amount of money is taken from your bank account. This means that L&Z continues to hold your data after you have cancelled your direct debit so that it can handle refund claims under the Direct Debit Guarantee.

Do I need to change my password? 

This incident is limited to L&Z’s direct debit processing system. Gatherwell’s lottery system was not impacted. As such, you do not need to change your password on the Lincoln Community Lottery website. 

How will you keep my data safe in the future? 

We have been informed that L&Z’s servers which host their direct debit system have been rebuilt in a new environment, which has been thoroughly tested for vulnerabilities by an external cyber security expert. Whilst it is never possible to completely eliminate the risk of a cyber-attack, L&Z has robust technical and security measures in place to guard against similar attacks in the future.

We take the safety of your information very seriously, and we sincerely apologise for any concern or inconvenience this incident may cause you.