Paddy Power discloses breach affecting 649K customers

Updated to include Paddy Power’s statement.

John Mulligan reports on a data breach at the gambling firm Paddy Power, where details of over 649,000 customers have reportedly been stolen – perhaps as early as 2010:

The stolen data includes personal information entered by customers signing up to the Paddy Power online service in 2010 and the years prior to that.

The information includes names, addresses, dates of birth, and even the maiden names of mothers, which are often used to verify account details.

The stolen data does not include any personal financial information.

[…]

It’s understood that in May this year the company was approached by a third party who became aware that a person in Canada was in possession of personal details of Paddy Power customers.

It’s not yet known whether that person had been attempting to sell the data.

Read more on Independent.ie

This is the second non-U.S. incident this month that appears to first be disclosed years after the entities may have known of the breach. The other incident involved Catch of the Day, who admits they knew about their breach in 2011 but first publicly disclosed it this month. It is not yet clear whether Paddy Power really knew about the scope of their breach in 2010, and if so, why they didn’t disclose it at the time.

Update: Paddy Power’s statement:

Paddy Power is today (Thursday, 31st July 2014) contacting certain customers in relation to an historical data breach. No financial information or customer passwords were compromised in the isolated incident and customers’ accounts are not at risk as a result. The full extent of the 2010 data breach became known to the Company in recent months when it took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual.

Paddy Power takes its responsibilities regarding customer data extremely seriously and it is deeply regrettable that this breach happened. Paddy Power has engaged with the Office of the Data Protection Commissioner on this issue and kept them updated on the action taken by the Company.

The historical dataset contained individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer. Customers’ financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised. Paddy Power’s account monitoring has not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way.

The accessed information alone would not have been sufficient to grant access to a Paddy Power customer account and this incident has no impact on customers who opened accounts after 2010.

Paddy Power is today pro-actively contacting 649,055 affected customers on this issue. Customers are being advised to review other sites where they use the same prompted question and answer as a security measure and update where appropriate.

“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power. “We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.”

Continuing Peter O’Donovan said: “Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”

 

About the author: Dissent