Paddy Power Had Data for 650,000 Customers Stolen
PaddyPower is a big name in European online gambling. The Irish company has one of the better marketing teams in the industry, who produce funny and inventive ways to promote the company. They are going to find their jobs a lot harder in the coming days and weeks, as it is being reported today that information on just under 650,000 Paddy Power customers had been stolen from the companies database. In 2010.
The stolen data includes personal information on 649,055 PaddyPower customers who signed up for the site in 2010. The data includes names, addresses, dates of birth, mothers maiden names, and other personal information used to set up an online account. What was not taken, however, was any financial information such as bank account numbers or credit card information. Around 120,000 of the impacted accounts belong to Irish residents, and only accounts set up before the end on 2010 are part of the stolen data.
The information was stolen back in 2010, during a cyberattack on Paddy Power’s database. The company was aware of the incursion at that time, but today is the first time that any of PaddyPower’s customers had been advised that their information had been compromised. In a statement from PaddyPower, the company’s Managing Director of Online, Peter O’Donovan, said: “We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result… We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.
“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”
The data has been recovered after the company had been approached by an unknown third party, advising that the data was in the hands of an individual in Canada. PaddyPower confirmed that this data was indeed from the company’s database, and began legal proceedings in Ontario in order to reclaim the data, as well as the hardware it was stored on. The operation included local police in Ontario, with the subject of the investigation apparently living in Toronto. No charges have yet been brought as yet, but have not been ruled out. It’s not been announced if the person in possession of the stolen information was in the process of selling it, or if he/she had already sold the data on to another party.
A spokesman for the Irish Data Protection Commissioner has been quoted as saying the agency is “disappointed” the PaddyPower is only just bringing this breach to light now, rather than advising the agency of the breach in 2010. PaddyPower is reported to have only advised them in May of this year.
The office of the Irish Data Protection Commissioner has no legal powers to fine PaddyPower for the breach, but can comment on the situation in the commissioner’s annual report, which will be issued in May 2015. We contacted the office of the Data Protection Commissioner, and received a response, the relevant parts are reproduced below:
“On the 12th May, 2014 Paddy Power notified this Office of a data security breach in accordance with our Personal Data Security Breach Code of Practice. This Office then launched an investigation into the matter…
“We understand Paddy Power had identified the attack back in October 2010 and implemented security measures to stop the attack. Following discussions, this Office is satisfied with the measures implemented by Paddy Power to prevent a repeat of this type of incident. In line with our approach to data breaches generally, we have advised the organisation to notify affected individuals and we understand that Paddy Power is commencing that process today. This Office would recommend that affected individuals follow the advice given by Paddy Power to change their security questions on any other sites where they may have been used.
“Our investigation of this matter is continuing and we anticipate that further recommendations will issue from this Office to Paddy Power in relation to security of data.”
Why Paddy Power has taken so long to announce this cyberbreach is unknown, and what, if any, sanctions the company will have to face is still unclear.
Paddy Power are now in the process of contacting the affected accounts. If you are concerned your details may have been compromised, please contact Paddy Power’s support team by emailing [email protected], or by calling them on +353 1 905 0132.
<EDIT> Paddy Power have responded to our email, and we have received a standard statement that includes the quotes above. We have asked further questions, and will edit again if/when we receive a response.