Data Breach Exposes 650,000 Online Players, Paddy Power Informs them Four Years Later

The personal details of almost 650,000 Paddy Power customers have been stolen after a huge software breach.

Gamblers using Paddy Power’s online website to bet on sports in Ireland are fuming. About 120,000 of them are now fully exposed, as a recent data breach allowed hackers to steal all the personal details they entered into their account, when they signed up to the company’s online sportsbook.

The information includes names, addresses, dates of birth of gamblers who signed up in 2010 and in the years before that. The hackers had access even to everyone’s mothers’ maiden names, a detail often used to verify user accounts. Luckily, all personal financial data is safe.

Four years of silence

Mostly known for its online and mobile betting services, Paddy Power also offers:

• A poker site
• A casino
• A live casino
• Bingo
• Games

The whole point of regulating the online gambling industry is to offer better consumer protection. Every country has its own set of rules, but all of them ask that licensees take all the necessary measures to protect their customers’ personal information. And Irish gambling laws are no exception.

However, despite all the security, privacy and confidentiality measures used by online casinos, sometimes… it just happens. This time around, it happened to 649,055 unfortunate users. In 2010, that number represented 29% of Paddy Power’s total online customer base. However, it seems that players who signed up after 2010 are perfectly safe.

Rumor has it the betting group was fully aware that malicious activity had taken place and that users had been exposed. It even completed a security audit and decided to update its technology infrastructure.

The data breach happened four years ago, but Paddy Power has only confirmed it just now. It’s not clear why the company – headed by chief executive officer Patrick Kennedy – took so long to reveal this information and hid it from its clients for years. Of course, back then the Irish betting operator did not know the extent of the infiltration, but customers still weren’t warned of the potential breach.

It appears that the bubble finally burst this May, when the company was approached by someone who allegedly knew that a person in Canada was in possession of Paddy Power’s customers’ personal info. Whether he was trying to sell the data or just warn the company about this remains a secret.

Hacker caught, Paddy apologizes

The online and mobile betting company did some investigations of its own and found that the data had indeed come from its system, and then decided to begin legal proceedings in Ontario, in order to get its hands on the computer where the information was stored. Paddy asked the Ontario police for help and soon after, officers found out that the hacker was living in Toronto.

So far, it’s not clear if authorities will initiate criminal proceedings against the guy who was caught with all that stolen information, but the Data Protection Commissioner has been informed of everything that happened and Paddy Power has begun notifying customers too.

“We sincerely regret that this breach occurred and we apologize to people who have been inconvenienced as a result,” said Peter O’Donovan, managing director for Paddy Power’s online operations.

“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.

“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure,” he added.

Kings of controversy

Paddy Power has had its fair share of scandals, but so far they’ve been mostly related to controversial marketing and advertising campaigns, such as the stunt where the company encouraged punters to bet on whether Oscar Pistorius will be found guilty or not. This was just one of the many campaigns labeled as “scandalous” and even “sick”.

Of course, then there was the other campaign where the betting operator invited users to place wagers on which animal would be killed next at Copenhagen Zoo. Add another handful of patronizing football-related adverts, all bordering on offensive, and you’ll start to have a vague picture of the image Paddy Power has created for itself over the years.

Now the betting operator may have also infuriated its own clients, by keeping it a secret that their personal information has been in the hands of some hacker for almost four years now.