1/24/10 – The start of a major furore over privacy was signalled over the weekend when the Daily Mail reported that the confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes had been offered for sale to The Mail on Sunday newspaper.
The Mail reports that this huge alleged theft of data is now at the centre of a criminal investigation. There are allegations that the newspaper was given the personal information of 10 000 Ladbrokes customers and offered access to its database of 4.5 million punters in the UK and abroad.
The newspaper group alerted Ladbrokes to the damaging security breach and handed the customer files to the Information Commissioner's Office (ICO), Britain's data watchdog, which immediately began to investigate.
The records include customers' home addresses, details of their gambling history, customer account numbers, dates of birth, phone numbers and email addresses. Credit card and banking details are reported to be excluded from the material.
Ladbrokes has called in the police and began contacting customers over the weekend to reassure them that their credit card details, passwords and other financial information were safe.
The Daily Mail reports that the sensitive database was offered for sale by a mysterious Australian, who claimed to be a computer security expert who had worked at Ladbrokes in Britain.
The newspaper led the seller on to get more information, and during protracted negotiations via email and in one phone call, the man, who gave his name only as ‘Daniel', claimed to represent a company based in Melbourne, Australia.
The company, DSS Enterprises, is run by one Dinitha Subasinghe, a Sri Lankan-born IT expert.
Approached by the newspaper, Subasinghe denied any involvement in the data theft. He designs websites and also runs a wedding planning business with his British-born girlfriend Charlene King.
Checks with Australia's companies house found that Subasinghe was described as a ‘sole trader'. His recent work has involved designing websites for estate agents in Melbourne, but he also lists Ladbrokes and the UK Ministry of Defence as clients.
Subasinghe told reporters: "I have no access to any Ladbrokes database or any other information. I provided analytical services to them for 18 months during 2007 and 2008."
Subasinghe said he had been on holiday in the UK in November and still kept in touch with members of Ladbrokes staff on a social basis, adding: "Unless my name, my signature, my fingerprint is on anything, it has nothing to do with me.
"I had a call from a senior person at Ladbrokes this morning. I did not take the call. I don't know what they are ringing me about."
With the story breaking fast, The Mail on Sunday received an email from ‘Daniel' saying that he was ending the negotiations and warning the newspaper against passing his details to the authorities.
David Smith, the ICO Deputy Commissioner, said: "The ICO takes breaches of individuals' privacy very seriously. Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure.
"We are grateful to The Mail on Sunday for bringing this security breach to our attention and will be contacting Ladbrokes to establish how it occurred and to find out what steps it will be taking to ensure that such a breach cannot happen again.
"We are particularly concerned that up to 4.5 million customer records containing personal information are allegedly for sale. Stealing personal data and selling it is a criminal offence. We will investigate whether an offence has been committed."
The Mail on Sunday was apparently first approached by ‘Daniel' – using the email address ‘theinsidescoopuk' – earlier this (January) month. He claimed to have worked as an IT security consultant for Ladbrokes two years ago. He said he had been passed the data by a ‘relatively junior' employee, who was trying to sell it on.
‘Daniel' claimed that his initial intention was to tip off Ladbrokes about the security breach, but he then decided it would be better to contact the media.
Ciaran O'Brien, head of PR at Ladbrokes, said: "We have been informed that a person connected to our organisation has offered certain details from a customer database to The Mail on Sunday.
"This is a criminal act and we are working with the police, the ICO and the newspaper to identify and apprehend the culprit.
"We are in the process of contacting customers to apologise for this breach in security and to reassure them that everything is being done to protect their personal information.
"Importantly, we do not believe that customer accounts or banking data can be accessed."