Friday 24 October 2014

Massive data breach at Paddy Power bookmakers

Personal details of over 649,000 customers having been stolen.

Published 31/07/2014 | 13:41

Paddy Power Chief Executive Patrick Kennedy. Inset: The bookmakers website

THERE'S been a massive data breach at gambling firm Paddy Power, with personal details of over 649,000 customers having been stolen.

About 120,000 of the customers are based in Ireland.

The stolen data includes personal information entered by customers signing up to the Paddy Power online service in 2010 and the years prior to that.

The information includes names, addresses, dates of birth, and even the maiden names of mothers, which are often used to verify account details.

The stolen data does not include any personal financial information.

The 649,055 customers affected represented 29pc of Paddy Power’s total online customer base in 2010.

No customers who signed up after 2010 are impacted by the breach.

The betting group - headed up by chief executive Patrick Kennedy - has only this afternoon confirmed the huge incursion to its systems, which occurred in 2010.

But it’s not yet clear why the company has waited until now to tell consumers.

It’s believed Paddy Power was aware in 2010 that malicious activity had taken place against its systems and then completed a security audit and updated its technology infrastructure.

While Paddy Power didn’t know back then as to the extent of the infiltration, customers still weren’t told of a potential breach.

It’s understood that in May this year the company was approached by a third party who became aware that a person in Canada was in possession of personal details of Paddy Power customers.

It’s not yet known whether that person had been attempting to sell the data.

The company verified that the data had come from its system. It then commenced legal proceedings in Ontario to secure possession of computer equipment owned by the person who was holding the Paddy Power data. The company liaised with local police in Ontario. It’s understood the person was residing in Toronto.

It’s not yet clear if criminal proceedings will be initiated against the individual who was found to be in possession of the data.

The Data Protection Commissioner has been informed of the breach and Paddy Power has begun informing customers.

“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power. 

“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.

“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.  This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure," he added.

A spokesman for the office of the Data Protection Commissioner said the agency was “disappointed” that Paddy Power did not inform of it in October 2010 of a suspected data breach. She said that concern has already been relayed to Paddy Power.

The agency was first informed of the suspected data breach in May this year.

The Data Protection Commissioner has a code of practice that was introduced in 2010, a number of months before the suspected data breach at Paddy Power. But the code is voluntary and companies aren’t obliged to adhere to it. In 2013, the office dealt with 1,577 data security breach notifications.

The Data Protection Commissioner has no legal capacity to levy fines on entities that have had a data breach. However, Commissioner Billy Hawkes has absolute privilege in his annual report to discuss breaches. The next annual report won’t be issued until May next year.

Read More

Editors Choice

Also in Business