Paddy Power lambasted over delay in reporting data breach

Paddy Power Chief Executive Patrick Kennedy. Inset: The bookmakers website

Padraic Halpin

The government has criticised bookmaker Paddy Power for delays in reporting a data breach that occurred in 2010 and which compromised the personal information of more than half a million customers.

Paddy Power waited until Thursday to tell 649,055 customers their names, email address, phone numbers and answers to security questions had been hacked in the breach.

It said it had detected malicious activity at the time but, after a detailed investigation, determined that no financial information or customer passwords had been put at risk.

"I am very disappointed that it has taken until now for Paddy Power to inform its customers," Ireland's junior minister with responsibility for data protection Dara Murphy said in a statement.

"It is best practise to inform the Data Protection Commissioner as soon as these breaches occur, and although these were not breaches of password or financial information, the code of practice should be followed at all times."

Paddy Power, which has been at the forefront of a surge in online customer growth in the betting sector, said it contacted the Data Protection Commissioner and police after it was advised in May of an allegation that the data hacked in 2010 was in the possession of an individual in Canada.

The bookmaker received orders from a Canadian court in July to recover the dataset and examine the individual's bank accounts and financial transactions.

It said it had suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken.

Concerns over the vulnerability of private data online have risen after a series of attacks by cyber criminals, including the large-scale theft of payment card data at U.S. retailer Target Corp during the holiday shopping season in late 2013.

In its email to affected customers, Paddy Power said there was no evidence the data had been used maliciously but it recommended that they review other websites where they had used the same prompted security question and answer.

"We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result," Peter O'Donovan, Paddy Power's managing director of online, said in a statement.

"Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems."