Betfair Data Breach


Friday , September 30, 2011 : Company failed to inform customers and kept incident under wraps
 
Online betting exchange Betfair is embroiled in a potential PR nightmare with the emergence of an incident involving wide-scale customer data theft that occurred just months before the company's flotation last year, according to British newspaper, The Telegraph.
 
The incident is believed to have taken place between March 28 and April 9 by criminals suspected of originating from Cambodia and involved the theft of sensitive data that included:
 
–     payment card details of most of its customers;
–     3.15 million account usernames with encrypted security questions;
–     2.9 million usernames with one or more addresses; and
–     89 744 account usernames with bank account details.
 
The attack allegedly went undiscovered until a "production log server" crashed at Betfair's Malta data centre more than two months after the initial breach which led to the detection of "at least another nine servers that had been compromised in the UK and two in Malta".
 
Betfair reportedly informed the UK Serious Organised Crime Agency, Australian and German law enforcement authorities, UK and Maltese regulators and its credit card payment processor the Royal Bank of Scotland, however, failed to inform its customers.
 
A Betfair spokesperson revealed that while the criminals had the expertise to decrypt payment card details, CVV2/CVC security numbers were not stolen along with other data which the Royal Bank of Scotland advised "significantly limits the ability of the cards to be used fraudulently".
 
Betfair has insisted that there was no risk to customers at the time and that the stolen data was unusable for fraudulent activity and had been recovered intact.
 
A Forensic Investigation Report on the theft by London-based Information Risk Management (IRM) said "Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks."