The highlight of this week’s online gambling news is the data breach that happened in 2010 and affected 649,000 Paddy Power customers. Their personal details were stolen by a Canadian who hacked into the betting company’s database. Now, four years later, Paddy Power is sending out emails to users who have been affected.
The hacker accessed personal information such as names, addresses, phone numbers, dates of birth, and even all the security questions used to verify accounts, along with the answers chosen by users. Luckily, he did not manage to get his hands on any financial information.
“We sincerely regret that this breach occurred and we apologize to people who have been inconvenienced as a result,” online division chief Peter O’Donovan said.
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach.”
Irish Mirror: Paddy Power say 650,000 customers affected by 2010 cyber attack
Paddy Power started to contact customers, after it was discovered that their personal information was leaked in a 2010 cyber attack. Almost 650,000 punters were affected by the data theft, and the Irish betting company said it was “pro-actively” getting in touch with those whose names, addresses, and phone numbers may have fallen into the wrong hands.
When checking their emails or the latest gambling results, some customers also came across a letter signed by Paddy Power’s managing director of online business, Peter O’Donovan, delivering the bad news that their personal details were stolen. The attack allegedly originated in Ontario, Canada.
The company said no financial information was taken from the 120,855 Irish customers, 461,154 UK users, and 67,052 international punters have been affected. It has been reported that Paddy Power became aware of the fraud in May, when it immediately launched an investigation, but it’s unclear why it took them so long to go public with it.
“We are communicating with all of the people whose details have been compromised to tell them what has happened,” O’Donovan added.
Comox Valley Echo: Irish betting company Paddy Power apologizes for 2010 data breach involving 649,055 customers
The Dublin-based online and mobile betting operator said it had known since 2010 that someone attempted to hack its customers’ online accounts. Paddy Power monitored the system for signs of fraud or theft, but said it had found no evidence of it actually happening
It was only in May that the company received a tipoff about a man in Toronto who had an archive of Paddy Power’s customers’ names, addresses, phone numbers, emails, birth dates, usernames, and security questions. All this information would come in handy to someone who tries to impersonate customers, to crack into their personal accounts on other websites.
Two Canadian court orders were secured in July, ordering the man to surrender his database. The police also obtained permits to look into his IT equipment and financial records. The man was questioned by officers, but is yet to be charged with any crime.
Paddy Power has started to send emails to the 649,055 customers affected. That number represented almost 30% of its online gamblers in 2010. Users were advised to change their security questions on all web accounts.
According to Maksym Schipka, an information security specialist working for British cyber-security firm Clearswift, the betting operator’s failure to identify the details of the data theft over the past four years is “a huge failure on Paddy Power’s behalf to maintain control and protection of its users’ critical information.”
Gloal Post: Ireland expresses concern over data breach in bookmaker Paddy Power
Soon after it came to light that a Canadian hacker had stolen personal information from Paddy Power’s data base, the Irish government publicly expressed concern over the data breach.
Dara Murphy, minister of state at the departments of the prime minister and foreign affairs with special responsibility for European affairs and data protection, told reporters: “I am very disappointed that it has taken until now for Paddy Power to inform its customers”
The breach occurred in October 2010, but Paddy Power did not inform the office of the Data Protection Commissioner until May 12, 2014. While gambling laws do not make it mandatory for operators to report such breaches, this is the recommended best practice.
The Irish betting operator waited almost four years to talk about what happened, and only went public after an investigation revealed details about the data theft.
“Paddy Power put in place increased security measures after the breach in 2010 and I have been in touch with the Office of the Data Protection Commissioner, which met with Paddy Power representatives this week,” Murphy added in a statement.
“My office and that of the Data Protection Commissioner will be working closely in relation to this matter. It is best practice to inform the commissioner as soon as these breaches occur, and although these were not breaches of password or financial information, the data security breach code of practice should be followed at all times in order to safeguard personal information and assure customers that their data is secure.”