Punters at Risk after Paddy Power Security Breach
Over half a million customers’ details were compromised in 2010
An unprecedented data breach at Paddy Power has led to over 649,000 customers having information including their names and addresses compromised, it has been revealed.
The accounts affected were those created in 2010 or previous. Following the incident, the company instigated a security audit, overhauling the system that had been infiltrated and updating to more modern and secure technology.
However, Paddy Power neglected to inform their customers about the security breach at the time. Speculation as to why they have waited until now to reveal the online attack is ongoing.
Several months before the database was compromised, the Data Protection Commissioner introduced a code of practice pertaining to such situations. Unfortunately for Paddy Power users, the legislation is voluntary and leaves companies the right to neglect to reveal such incidents.
The news came to light after a man in Canada was found to be in possession of the sensitive data. After attaining two court orders, Paddy Power was able to intercept and seize the information. After four years, however, it is quite possible the damage has already been done.
Although Paddy Power are insisting that no bank or credit card details were exposed through the hacking, there is plenty of information that could be used to bypass security settings at an array of websites. Among the details stolen were usernames, dates of birth, maiden names, and security questions and answers. For many users, such details are commonly used across multiple websites which increases the potential damage exponentially.
A statement from the company’s Managing Director of Online services, Peter O’Donovan, apologised for the breach but was also quick to allay fears by claiming there was no risk to customers or their accounts:
“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result.
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.
“Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”
Conversely, Clearswift Information Security Specialist Maksym Schipka said that Paddy Power’s refusal to share the information at the time of the attack has led to an increased risk to victims. He also suggested that the secretive nature of the company in withholding information for four years means that it is possible they are still not revealing the true extent of the damage:
“Today’s announcement of a massive data breach at gambling firm Paddy Power is of a huge concern due to the company’s failure to publicly disclose the attack, having allegedly had knowledge of it since 2010. It implies a huge failure on Paddy Power’s behalf to maintain control and protection of its users’ critical information – which includes names, addresses, dates of birth, and even the maiden names of mothers and communicate the breach to its many customers, who have been at risk for all of this time.
“A breach on this scale, combined with the lack of transparency demonstrated by the company will certainly affect its professional reputation. Similar to the recent eBay cyber-attack, it is not yet clear as to why the company has waited until now, four years later, to tell its customers and also confirm how the breach occurred, so the true extent of the data loss is potentially not yet known.
“What we do know is that the company was approached by a third party who became aware that a person in Canada was in possession of personal details of Paddy Power customers. The effect of this information including personal data of many people taking part in gambling activities falling into the wrong hands should not be underestimated.”
Despite the company’s refusal to exchange information which many would deem to be the customers’ right to know, the fact that this was optional means no fine will be imposed upon Paddy Power. As the Data Protection Commissioner, Billy Hawkes has the right to discuss breaches in his annual report – but this won’t occur until May 2015.
This attack underlines the importance of online security. As internet usability goes from strength to strength and becomes more integral to our daily lives, it is only natural that internet users can become overly comfortable and perhaps forget some of the basics. Coupled with increasingly sophisticated hacking schemes this is a dangerous situation, and so staying alert online is of crucial importance to your security.
Unique passwords for each website are a vital tool in your online arsenal of self-preservation. It is understandable that many people use just one or two passwords across a number of websites out of habit and an unwillingness to memorise dozens of different passwords. The downside, as demonstrated in this attack, is that hackers gaining access to your password will then have access to your entire online world. It is also important to use complicated passwords that are not easy to guess, using a variety of upper case and lower case letters intertwined with numerical characters.
This is particularly true for accounts that contain your financial information. Online banking, gambling and shopping websites are among the likely contenders. Particular diligence should be taken when creating usernames and passwords for these websites.
Keeping your computer’s anti-virus up to date is essential, and will help deter some of the more advanced hackers. Some viruses are capable of lying dormant on your computer for months, waiting for you to enter credit card information before relaying it back to the hacker’s database. Check your computer regularly for viruses and always update your anti-virusas soon as such updates become available. Following these simple steps should help prevent online fraud being committed against you.
Paddy Power has claimed it will be getting in touch with customers whose accounts have been breached, though some experts are recommending all Paddy Power users to change their usernames and passwords as a precaution.