Huge data breach at Paddy Power bookmakers - details of over 649,000 customers stolen
Published 31/07/2014 | 13:57
There has been a huge data breach at Irish bookmakers Paddy Power, with the personal details of over 649,000 customers having been stolen.
About 120,000 of the customers are based in Ireland.
The stolen data includes personal information entered by customers signing up to the Paddy Power online service in 2010 and the years prior to that.
The information includes names, addresses, dates of birth, and even the maiden names of mothers, which are often used to verify account details.
The stolen data does not include any personal financial information.
The 649,055 customers affected represented 29% of Paddy Power’s total online customer base in 2010.
No customers who signed up after 2010 are impacted by the breach.
The betting group - headed up by chief executive Patrick Kennedy - has only this afternoon confirmed the huge incursion to its systems, which occurred in 2010.
But it is not yet clear why the company has waited until now to tell consumers.
- Oscar Pistorius trial: Paddy Power defends 'sick' betting advert, describing murder case as 'like OJ Simpson on steroids'
- Paddy Power rapped over 'sick' Oscar Pistorius betting advert offering 'money off if he walks'
- Paddy Power's sickest bet yet? Irish bookmaker opens betting on which animal will be killed next at Copenhagen Zoo
It’s believed Paddy Power was aware in 2010 that malicious activity had taken place against its systems and then completed a security audit and updated its technology infrastructure.
While Paddy Power didn’t know back then as to the extent of the infiltration, customers still weren’t told of a potential breach.
It is understood that in May this year the company was approached by a third party who became aware that a person in Canada was in possession of personal details of Paddy Power customers.
It’s not yet known whether that person had been attempting to sell the data.
The company verified that the data had come from its system. It then commenced legal proceedings in Ontario to secure possession of computer equipment owned by the person who was holding the Paddy Power data. The company liaised with local police in Ontario. It’s understood the person was residing in Toronto.
It’s not yet clear if criminal proceedings will be initiated against the individual who was found to be in possession of the data.
The Data Protection Commissioner has been informed of the breach and Paddy Power has begun informing customers.
“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power.
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.
“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure," he added.
Source: Irish Independent