Full House Lottery is notifying 23,000 people who bought tickets online that their credit card information could have been stolen when the lottery's website was criminally breached.
The breach affects all online ticket purchases made between Feb. 23 and May 2.
The security breach — the third the lottery has experienced in 2017 — also affects 5,300 people who bought tickets for the lottery at show homes. Their names and addresses may have been affected by the hack but their financial information wasn't compromised, the lottery said in a news release Friday.
The only ticket purchasers not affected by the breach are those who bought tickets by mail or telephone, lottery manager Frank Calder said in an interview.
Third breach this year
The latest breach occurred on Feb. 23, one day after another breach put the credit-card information of up to 3,000 people at risk.
The Feb. 22 breach followed an earlier, unrelated breach on Jan. 29, when lottery officials learned that hackers had accessed an email list of people who had supported the lottery in the past.
The Feb. 23 breach wasn't discovered until Tuesday of this week, Calder said.
Officials were "pretty dismayed" when they learned about it, he said. Online ticket sales were halted briefly on Tuesday while the website was moved to a new server operated by a different company.
"I think our reaction was that we better just stop things until we really know what we're dealing with," Calder said.
Edmonton police were notified Thursday, he said.
On Friday morning, an email went out to ticket buyers apologizing for the breach and telling them what to do about it.
Since email notifications went out, "a couple of people" have told the organization they had noticed unexplained charges on their cards, Calder said.
Customers told to contact their banks
Those whose financial information may have been compromised have been told to inform their banks immediately.
"They can advise you on the steps you should take, including how to confirm any transactions on your card," the email says.
Information that may have been stolen includes the customer's name, billing address, email address, phone numbers, and their credit card information — card type, card number, cardholder name, expiry date and the three-digit card verification value (CVV) code.
Calder said customers are asking how the breach could have happened.
"I think for the most part a large number of those people ended up being pretty responsible and accepting, but then there were a few who, for sure, were just unhappy, and understandably," he said.
'People may hold back'
He said it's difficult to know how the latest breach will affect the success of the lottery, which raises money in support of the University Hospital Foundation and the Royal Alexandra Hospital Foundation.
Money raised this year is earmarked to buy an early detection cancer scanner for the Royal Alex and to support the operation of Canada's first stroke ambulance at the U of A Hospital.
"It's a tough year for Albertans anyway, with the economy, and some lotteries have had a pretty difficult time. They've been quite public about that," Calder said.
"Full House Lottery has actually has not done badly this year. It's going to be a successful lottery. But for sure, anything that creates some doubt you know, people may hold back.
"We didn't experience that as a result of the other breaches, but it's certainly a concern. And the other part of it is just intensifying all of our diligence around cyber security."