Broker tried to sell details of 650,000 Paddy Power customers for €7,600
A CANADIAN man who tried to sell the hacked online details of 650,000 Paddy Power customers for €7,600 has broken his silence about how he got the stolen information.
Jason Ferguson (40), who is not being prosecuted for holding the confidential customer information, said that he purchased the data from an unnamed online seller in Malta in December last year.
The hacked customer information includes the names, emails, addresses and dates of birth of 120,000 Irish Paddy Power customers and 650,000 customers overall.
Two weeks ago, Paddy Power revealed the extent of the data breach, which occurred in 2010. The hacked data did not include any financial information or passwords.
Mr Ferguson said that he purchased the data lawfully.
"I bought lots of data for marketing but I did not hack anything," Mr Ferguson said in the interview with Bloomberg.
Mr Ferguson attempted to resell the hacked information as a "database broker", according to Paddy Power, which launched a legal case in Canada for the retrieval of the hacked data.
It was discovered by a UK data breach specialist who was searching for black market peddling of stolen databases.
Mr Ferguson tried to sell the Paddy Power database to the UK specialist for €7,600, claiming that he'd consulted for "major companies and individuals" in the brokering of gaming databases, according to documents Paddy Power filed in a Canadian court.
"This data is very, very good and a unique marketing opportunity as you can get immediately a ton of players and affiliates," Mr Ferguson wrote in an email to the specialist in May. "As you can see it's very extensive and easily monetised. You get exclusive rights as he wants to foster repeat business and long-term relations with people. Once I pay him the cash, he delivers all links."
Mr Ferguson wanted €7,600 for the files and sent the specialist a sample of the data, the documents show.
The Paddy Power data was among a package of lists Ferguson was selling for his Maltese contact, according to the court filings.
"I thought I was acting within the realm of legality," said Mr Ferguson, in an interview with Bloomberg. "Is it ethical? "Should I have had the data? To my knowledge, there's no precedent."
But Paddy Power secured two Canadian court orders early last month to enable computer equipment belonging to Mr Ferguson to be seized and searched, as well as his bank accounts.
After Ferguson was shown the court orders, he led the team to his basement, where they seized a hard drive and other equipment containing the names, contact details, addresses, dates of birth, and secret questions and answers for 650,000 Paddy Power clients that they later wiped clean.
No customers who signed up to Paddy Power online after 2010 are impacted by the breach. It does not include personal financial information.