Data breach at Paddy Power back in 2010?

News on 31 Jul 2014

The Irish Independent reported Thursday that the personal details of over 649,000 online punters using the land and online services of major bookmaker Paddy Power prior to 2010 may have been compromised in a serious data breach that may have impacted up to 29 percent of the 2010 customer database.

The newspaper said that about 120,000 of the customers affected are based in Ireland, and that the data stolen included personal information entered by customers signing up to the Paddy Power online service in 2010 and the years prior to that.

The compromised information is believed to include names, addresses, dates of birth, and account verification details….but apparently it does not include any personal financial information.

Customers who signed up with Paddy Power after 2010 are not affected by the breach.

Paddy Power has confirmed to the newspaper that the data breach occurred in 2010, but there was no indication as to why the company has delayed making the breach public for so long.

The Irish Independent claims that the company was aware of malicious activity in 2010 and commissioned a security audit, followed by an update of its technology infrastructure.

But it is alleged that customers were not told about the breach.

The newspaper reports that earlier this year Paddy Power was approached by a third party who reported that an individual in Canada appeared to have the personal details of large numbers of Paddy Power players.

“The company verified that the data had come from its system,” the Irish Independent reports. “It then commenced legal proceedings in Ontario to secure possession of computer equipment owned by the person who was holding the Paddy Power data. The company liaised with local police in Ontario. It’s understood the person was residing in Toronto.

“It’s not yet clear if criminal proceedings will be initiated against the individual who was found to be in possession of the data.”

In Ireland, the Data Protection Commissioner has been informed of the breach and Paddy Power has begun informing customers.

“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power.

“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data.

“That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.

“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.  This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure,” he added.

Related and similar