THE Data Protection Commissioner has criticised Paddy Power for failing to notify it of a cyber attack in which personal details of 649,055 customers were stolen.
The commissioner Billy Hawkes's office said it is "disappointed" the gambling firm did not follow best practice by informing it of the incident in 2010.
While Paddy Power was aware of the attack, it was not until last May it found out "with precision" the full extent of the breach, the company said.
The stolen data includes names, usernames, addresses, email addresses, phone contact numbers and dates of birth.
Financial information like credit or debit card details was not compromised, Paddy Power said.
Account passwords were also not compromised. Only customers who signed up in 2010 and in the years prior to that are impacted.
It represented 29pc of the firm's total online customer base in 2010.
Individuals affected were advised to review any other online accounts they have. Some 120,000 of the 649,055 customers are based in Ireland.
The commissioner's office was notified on May 12 last of a "data security breach".
It said: "[This] office is disappointed that Paddy Power did not report the matter to us back in October 2010 in line with best practice."
The company is now contacting everyone affected.
It advised customers to review other sites where they use the same security question and answer and update them where appropriate.
In 2010, the firm had detected malicious activity in an attempted breach of its security system but determined no financial information or customer passwords was put at risk.
It later upgraded its security system but the public was not notified.
Then last May, Paddy Power was advised customer information was allegedly in the possession of an individual in Canada.
It contacted gardai and the Data Protection Commissioner.
The firm received two court orders in Canada to seize the person's IT assets, to recover the data and delete it from the IT systems.
It was also allowed examine the man's bank accounts and financial transactions and to question him, with the assistance of the Ontario Provincial Police.
The man in question is believed to have been living in Toronto.
Having examined the data, Paddy Power determined personal information relating to 649,055 customers was compromised during the 2010 attack.
"We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result," said Paddy Power's Peter O'Donovan.