Paddy Power Notifies Customers of 2010 Data Breach

Paddy PowerReports have surfaced which indicate there has been a massive data breach at Paddy Power that dates back to 2010. This news is pretty shocking to say the least, not just because it concerns customer’s private information, but because the breach occurred 4 years ago.

The news came to light after Paddy Power recently took legal action against an individual in Canada and so the whole ordeal is being played out in Canadian courts. The company discovered specifics about the data breach in May 2014 after being given a tipoff.

Following court proceedings, Paddy Power managed to secure two court orders, allowing them to seize the individual’s personal computers last month which contained the compromised user data. This data was retrieved and then deleted from the person’s computer.

The identity of the person living in Canada has not yet been revealed but it has been stated that the person is not employed by the Irish betting company. Reports also suggest that a third person may have been involved in the breach, but again the identity of this person is not known.

The investigation into the breach found that 649,055 customers on Paddy Power were affected, which in 2010 represented about a third of its player base. No Paddy customers who signed up for an account after 2010 were affected.

Based on the press release issued by Paddy Power on Thursday, every player that was affected by the breach has been contacted via email, but it has left many Paddy Power customers wondering why they are only now hearing details about the breach.

The email sent to players stated that no sensitive information was stolen, and according to the press release that was sent out, the extent of the data breach included the following: names, usernames, birthdates, e-mails, addresses, as well as phone numbers of affected customers.

It is also possible that answers to the secret question to gain access to customer accounts was compromised, and so users affected by the incident are being asked to change these answers to common questions on other online poker sites where they could potentially use these same answers. No financial data or passwords were obtained by the hackers.

A spokesperson for the Office of the Data Protection Commissioner said that they were disappointed that it took so long for Paddy Power to inform their players of the 2010 data breach.

The Irish betting company suspected something had occurred that year following a cyber-attack on its server, but made the decision at the time not to inform customers. Peter O’Donovan, the managing director of Paddy Power’s online operations was quoted as saying that there was “a detailed investigation and determined that no financial or password data had been put at risk.” They also claimed not to know a great deal about the incident until fairly recently, after which they initiated legal proceedings to gain access to the breached dataset.

Online security experts who were also dissatisfied with the delayed notification came out and said that Paddy Power customers could potentially be the target of “phishing” scammers who see this as a great opportunity to ask affected users to change their passwords in order to get access to their new login information, and so all customers that have been notified of the incident should be aware of this.

The announcement didn’t affect Paddy Power’s share price at all, although not surprisingly, many customers were unhappy that sensitive information about them was compromised and took to social media to vent their frustrations.