Monday August 11,2014 : ANATOMY OF A SECURITY BREACH
A closer look at the theft of 649,000 player details from Paddy Power.
One of the biggest data breaches in online gambling history – the theft of 649,000 player details from online gambling group Paddy Power ) – has been examined in detail by the Bloomberg business news service, which reveals:
* In 2010 (when the theft is believed to have occurred) Paddy Power technicians detected what they thought was "malicious activity."
* Three years later, in December 2013, a Canadian affiliate marketer and entrepreneur called Jason Ferguson (45) came across an offer of a player database for sale (something he claims is commonplace on the internet) from an unknown seller apparently based in Malta. The parties negotiated the sale of the database for Euro 6,700 and Ferguson took delivery and presumably used the content in his endeavours to market to players or sell the database on. He claims he was not aware that the database was stolen, and that he did nothing wrong.
* Earlier this year data breach consultant Joe Saumarez Smith became aware of Ferguson's database whilst investigating another and unrelated issue. He contacted Ferguson, who convinced him of the value of the database and sent him a sample to clinch a sale.
* After examining the sample, Saumarez Smith suspected that it may be the property of Paddy Power, and he handed it over to the betting company, which immediately tasked a special team to analyse it. They confirmed that it was Paddy Power material.
* In collaboration with the Ontario courts and police, Paddy Power's legal representatives then obtained court orders for the search of Ferguson's bank account and his computer equipment.
* Ferguson's shock on July 7, when a posse descended on his home office with the court orders can only be imagined. He cooperated, and a hard drive was seized, wiped clean of the Paddy Power information, and returned to him (he has since destroyed it, saying he wants nothing more to do with the issue).
The police found no evidence that might indicate criminal or malicious activity on Ferguson's part, and he has not been prosecuted.
Paddy Power had the embarrassment of belatedly having to tell players about the breach, which received wide media coverage.
In a statement posted on its website on July 31st, the company revealed the breach for the first time publicly, and started alerting the 649,000 customers affected. While the data didn’t include account passwords or financial information, and would not have allowed access to customer accounts, the company apologised.
The betting company was also severely criticised by Ireland’s Data Protection Commissioner for not reporting the breach timeously.
“I am very disappointed that it has taken until now for Paddy Power to inform its customers,” Minister for Data Protection Dara Murphy said in a statement. “While it’s not mandatory to report such breaches, it is recommended best practice.”