One of the dreaded events by an online gambling operator is the theft of player details in a security breach. This is exactly what happened to Paddy Power on the biggest breach of data where 649,000 details of players were stolen in the online casino database. The examination in detail of the theft by Bloomberg business news service revealed that:
- In 2010, the technicians at Paddy Power detected what seemed like a malicious activity. Apparently, this is when it is believed the theft of the data occurred.
- December 2013, approximately three years after the incident, a Canadian entrepreneur and affiliate marketer, Jason Ferguson, saw an offer on the Internet of a database of online players up for sale from an anonymous seller from Malta. He claims that it is common to find such offers online. The two negotiated on the sale and settled at a price of 9,700 Euros. Ferguson took the data and used it for his attempt to market to the players or to sell the database. His claim is that he did not know that the source of data was theft and therefore did not do anything wrong.
- At the beginning of this year, a consultant for data breach, Joe Saumarez Smith was made aware of the database that Ferguson had while he was investigating another issue unrelated to the matter. He made contact with Ferguson, who tried to convince him about the value the database had. Ferguson sent a sample to him with the intention of making a sale.
- The examination of the sample by Saumarez Smith led to the suspicions that it could be Paddy Power’s property. He gave it to Paddy Power, which immediately charged it to a special team for analysis. This confirmed that the data was Paddy Power’s property.
- Working together with Ontario courts and the police, the legal representatives of Paddy Power got court orders to search the computer equipment and bank account of Ferguson.
- July 7, Ferguson was shocked when a group of people went to his office at home, having court orders. He cooperated and they took his hard drive, cleaned Paddy Power information and returned it to him. Apparently, he has destroyed it and he is saying that he does not want anything more to do with the whole issue.
Ferguson was not prosecuted because the police did not find any evidence to indicate malicious or criminal activity on his part.
Unfortunately, Paddy Power had to take the embarrassment of telling the players concerning the breach this late. The incident received a lot of media coverage. Paddy Power revealed about the breach on 31 July for the first time by posting a statement on its website. It also alerted the 649,000 players who were affected. The data stolen did not include financial information or the account passwords of the players neither were their accounts accessed. Nevertheless, Paddy Power apologized.
Ireland Data Protection Commissioner severely criticized the company for failing to report the breach in a timely manner though not mandatory, it is the best practice recommended.