Paddy Power notifies more than 600,000 customers of data breach
Paddy Power has said that it is in the process of contacting more than 600,000 customers to notify them of a data breach that took place in 2010.
In a statement, the company said that “No financial information or customer passwords were compromised in the isolated incident and customers’ accounts are not at risk as a result”.
Despite the fact that the breach took place some years ago, the company said that the full extent only became known “in recent months” when it came to light that an individual in Canada was in possession of customer data from the 2010 breach.
Paddy Power said that it “took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual”.
The company was keen to emphasise that customers’ financial information, “such as credit or debit card details” had not been compromised and “is not at risk”, nor had account passwords been compromised. Paddy Power did confirm that the historical dataset contained “individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer”.
Paddy Power said that the accessed information alone would not have been sufficient to grant access to a Paddy Power customer account, and furthermore, the breach would have no impact on customers who opened accounts after 2010.
“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power. “We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.”
“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats,” said O’Donovan. “This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”
The company said that in May of this year, it was advised that the information was in possession of an individual in Canada, and that it alerted An Garda Siochána and the Office of the Data Protection Commissioner. When the information was verified as coming from the 2010 breach, court proceedings were undertaken and IT assets were seized “to recover the dataset and delete it from the IT systems, to examine his bank accounts and financial transactions and to question” the individual, with the assistance of the Ontario Police.
Forensic analysis of the data showed that the exact number of customer records compromised was 649,055. The company said that it had detected malicious activity in “an attempted breach of its data security system in 2010”. After a detailed investigation at the time, Paddy Power said it determined that “no financial information or customer passwords had been put at risk. It was, however, suspected that some non-financial customer information may have been exposed”.
This led to a full review of security systems. The company said that it has invested more than €4 million in IT security systems.
Speaking to TechPro, IT security expert Brian Honan commented, “that information could be very much used by people to compromise accounts by trying to socially engineer their way in. A lot of the information there could be used as questions by other organisations where people have accounts.”
“A lot of organisations are using information that 20-30 years ago would have been relatively difficult for a criminal to get their hands on,” said Honan, “like your mother’s maiden name or your mobile phone number, your date of birth and other personal details. But today, with social media, it can be easily found out. We now have a problem whereby organisations are using publically available information and thinking that it can authenticate who somebody is when they are trying to get their password reset.”
For a criminal to have such information, all connected to an individual, such as the mother’s maiden name, phone number and date of birth, makes it all the more easy to craft a hacking attempt said Honan.
Another consequence Honan warned, was that it would easy to craft personalised phishing emails to further compromise individuals.
The Paddy Power statement does not say whether the Data Protection Commissioner was notified in 2010, after the malicious activity had been detected.
However, Honan said that he would advise otherwise.
“When we deal with clients who have been in similar situations, we strongly recommend that they contact the data protection commissioner, even if they do not know the extent the breach just yet.”
Statement from DPC
“We understand Paddy Power had identified the attack back in October 2010 and implemented security measures to stop the attack,” said the Office of the Data Protection Commissioner said a statement on the matter.
“Following discussions, this Office is satisfied with the measures implemented by Paddy Power to prevent a repeat of this type of incident.
“However, this Office is disappointed that Paddy Power did not report the matter to us back in October 2010 in line with best practice.”