Gambling Site Breach Affects 650,000Paddy Power Customers' Personal Information Exposed
"No financial information or customer passwords were compromised in the isolated incident, and customers' accounts are not at risk as a result," says Dublin-based Paddy Power, which is listed on Irish and U.K. stock exchanges. Stolen account information included customer names, usernames, addresses, e-mail addresses, phone numbers, dates of birth as well as question-and-answer security questions. Any customers who registered an account after 2010 were not affected.
"We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data," says Peter O'Donovan, managing director of online operations at Paddy Power. "That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach."
Paddy Power first notified Ireland's Office of the Data Protection Commissioner about the breach May 12, 2014, more than three years after it occurred. "They became aware of issues back in October 2010, but we didn't receive a report until the 12th of May, 2014," says a DPC spokeswoman. "We receive hundreds or thousands of breach notifications each year, but unfortunately, we just received this one."
But Paddy Power contends that it only learned of the full extent of the breach in May, after allegations surfaced that a certain individual - who has not been named - possessed a copy of the stolen data. Paddy Power says it immediately notified both Canadian and Irish police and "took legal action in Canada" to retrieve the stolen data, which also triggered a related investigation by the Ontario Provincial Police.
Since learning of the breach in May, Ireland's data protection officials have reviewed new information security measures Paddy Power has put in place following the 2010 hacking incident. "We have met with the company and discussed the measures implemented by them in 2010 to prevent a repeat of the type of incident that occurred, and we were satisfied with the types of measures that were implemented," the Data Protection Commissioner spokeswoman says. "Just this week, we've required them to issue the notifications to affected individuals outlining what type of data has been compromised and outlining security advice."
The DPC didn't require notification to individuals until this week because it was aware of the ongoing criminal investigation, the spokeswoman says, "and Paddy Power had to obtain information about exactly what was in that [exposed] database - and they only received that information once the investigation was completed this week."
No Mandatory Notification
Most businesses in Ireland are not required to notify government officials when they suffer a data breach, although the data protection agency recommends they do so. "We have what we call a Personal Data Security Breach Code of Practice which came into place in 2010, and we consider it best practice for businesses that are subject to Irish data protection law to report breaches to this office," the DPC spokeswoman says.
But the DPC has "expressed our disappointment as to the delay" in the bookmaker's reporting of its breach, she adds.
EU officials are considering implementing a mandatory data breach notification law as part of its revised Data Protection Regulation.