650,000 have data stolen after bookmaker site hacked
Published 01/08/2014 | 02:30
The information taken includes the details of around 120,000 customers based in Ireland. And the Office of the Data Protection Commissioners has raised concerns with Paddy Power after it emerged the breach occurred four years ago.
However, Paddy Power states it only became aware of the extent of the data breach in May of this year.
The stolen data includes personal information entered by customers signing up to the Paddy Power online service in 2010 and the years prior to that.
The information includes name, email, address, date of birth, and even the maiden names of mothers, which are often used to verify account details. However, it does not include any financial information or passwords.
The customers affected represented 29pc of Paddy Power's total online customer base in 2010. No customers who signed up after 2010 are impacted by the breach.
Peter O'Donovan, the managing director of Paddy Power's online unit, said a third party, whom he refused to identify but who has been known to the group for a number of years, informed the company a person in Canada was in possession of Paddy Power customer data. The company then alerted gardai as well as police in Ontario.
It secured two court orders early last month to enable computer equipment belonging to the person who was possession of the information to be seized and searched, to search their bank accounts and for the person to be questioned.
Mr O'Donovan said the third party is not resident in Canada. He said neither person had ever been employed by the gambling group but he refused to identify the person who was in possession of the data.
A spokesman for the office of the Data Protection Commissioner said the agency was "disappointed" Paddy Power did not inform it in October 2010 of a suspected data breach. She said that concern has already been relayed to Paddy Power.
Paddy Power informed the data watchdog in May of its probe in Canada.
Dara Murphy, Minister of State for European Affairs and Data Protection, also said he was "very disappointed" that it had taken so long for Paddy Power to inform its customers.
It's not yet clear if criminal proceedings will be initiated in Canada or elsewhere against the individual who was found to be in possession of the data.
Mr O'Donovan, the managing director of Paddy Power's online unit, told the Irish Independent that 85,000 of the 649,055 customers who were impacted are still active on its system.
He said there was no indication that the stolen information had been sold by the person who had possessed it.
However, it is understood that the suspicion is that he was planning on doing so.
The betting group only confirmed the huge incursion to its systems yesterday, despite it having occurred in 2010. The company suspected a breach then following a cyber-attack that year, but executives decided not to tell customers as no financial data or passwords had been compromised.
"We carried out a detailed investigation and det-ermined that no financial or password data had been put at risk. There was no thr-eat to any customer accounts," said Mr O'Donovan.
But custo-mers took to social media yesterday to express surprise that they'd only been told of the data breach four years after it had happened.