Paddy power has recently admitted to a data breach of up to 650,000 customers in an incident that took place four years ago.
The popular gambling website Paddy Power has advised some of its customers of ‘a historical data breach’ that occurred four years ago. Although the incident took place back in 2010, Paddy Power has been reluctant to admit this four year data breach incident in a hidden away press release.
In this press release, Paddy Power comments that it believes that up to 650,000 customer’s details were stolen by a hacker who hacked into the company’s computer systems. Paddy Power only realised this was the case after it took “legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual.” To counteract this four year data breach incident, Paddy Power has said that it “has engaged with the Office of the Data Protection Commissioner on this issue and kept them updated on the action taken by the Company.”
Although financial information wasn’t obtained, the hacker managed to acquire customers’ names, addresses, emails, usernames and passwords. More seriously however, the hacker managed to obtain the unsuspected customers date of birth and “prompted question and answers” which, when teamed with names and addresses, could potentially be successfully used on other websites. Any customers, who registered with the site from 2010 onwards, are not affected and Paddy Power’s “account monitoring has not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way”.
Even though Paddy Power are now trying to limit the damage this event has created, many security experts are condemning the gambling company for taking so long to expose this issue. Graham Cluely, an award winning security blogger has commented that “waiting four years to tell your customers and the authorities that your company has suffered a security breach isn’t just sloppy, it seems downright irresponsible.” and that “it should have shared the bad news much earlier, and not tried to hide it away four years later on a webpage that few of its customers will ever visit”. Dara Murphy, Ireland’s Junior Minister said he was “very disappointed that it has taken until now for Paddy Power to inform its customers.”
To counteract this four year data breach, Paddy Power has started to contact any potentially affected customers and advise them to “to review other sites where they use the same prompted question and answer as a security measure and update where appropriate”.