14 DAY TRIAL // On Thursday, in a statement to their customers, Paddy Power, a company that provides bookmaking services, admitted to a historical data breach that occurred in October 2010 and resulted in compromising a data sheet with details for 649,055 customers.
The company said that, during the incident, no financial information or customer passwords were accessed by the hackers. However, the intruders managed to steal names, usernames, addresses, email addresses, phone contact numbers, dates of birth and security questions and answers.
From a security point of view, all this information is more than enough for cybercriminals to make some money through identity theft, sending spam or phishing emails.
Although Paddy Power knew about intruders hacking their systems in 2010, they were not aware of the magnitude of the incident until recently (in May), when the company “took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual,” the statement says.
It appears that the vulnerability leveraged by the intruders back in 2010 had been solved at that time, since customers making an account with the service beyond that date are not affected.
Representatives of the Irish booking service inform that compromising the accounts based on the stolen information could not be possible.
To further stress that no credit or debit card details and passwords were compromised, the company says that account monitoring systems did not trigger any alert of suspicious activity indicative of breaching customer accounts.
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened,” says Peter O’Donovan, MD Online, Paddy Power.
The company is currently issuing notifications to all affected customers, who are recommended to change the security question and answer on other sites, if the pair is the same one used for the Paddy Power account.
The Data Protection Commissioner (DPC) was not informed of the incident at the time of its occurrence. In a statement for Techcentral.ie, the Office of the DPC expressed their disappointment that they were notified only when new information about the breach came to surface, four years later:
“However, this Office is disappointed that Paddy Power did not report the matter to us back in October 2010 in line with best practice.”