Yesterday, popular gambling website Paddy Power found itself admitting that it had suffered a serious data breach - the kind of position that no company ever wants to find itself in.
Not that you would know if you visited their website, of course. Because there’s no mention of the issue on the front page that their customers visit. Instead they will need to find the link buried away in their press release section.
But when you dig into the details of this particular breach, and its public disclosure, you find things are actually a lot worse.
Firstly, this wasn’t a breach involving a small number of customers. Paddy Power believes that the personal details of almost 650,000 customers (649,055 if we’re being precise) were put at risk by hackers who broke into the company’s computer systems.
That’s a lot of gambling customers who have been exposed to more risk than perhaps they feel comfortable with.
Secondly, although financial information such as credit card details were not compromised (thank goodness) there was an awful lot of information which was - including customers’ names, usernames, addresses, email addresses, phone numbers, dates of birth and “prompted question and answer”.
Even though no passwords were grabbed by the hackers, there are still plenty of ways in which fraudsters and online criminals could exploit the information which has been exposed. For instance, it’s simple to imagine carefully crafted emails could be sent to customers (using the personal information taken from the stolen user database to make them appear more convincing) that could be designed to trick innocent victims into revealing more details about themselves, or clicking on dangerous links that could put their computers and their financial information at greater risk.
Thirdly, Paddy Power is at pains to point out that the incident has “no impact on customers who opened accounts after 2010”.
Now, you may think that’s good news - but dig a little deeper into the story and the truth tumbles out.
You see, Paddy Power first identified that it had been hacked back in 2010.
In its own words:
“Paddy Power had detected malicious activity in an attempted breach of its data security system in 2010. A detailed investigation was undertaken at the time and determined that no financial information or customer passwords had been put at risk. It was, however, suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken.”
The important thing to note is that Paddy Power did *not* at this point inform its 650,000 affected users. Instead they waited until this week - four years later - after a Canadian man was found in possession of the stolen data.
Paddy Power says it “takes its responsibilities regarding customer data extremely seriously” and is now warning customers “proactively”, as clearly there could be other websites where affected users could be using the same question and answer as security measures. (As with passwords, you shouldn’t reuse your trusted question/answer either).
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data,” said Paddy Power’s online managing director, Peter O’Donovan. “That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.”
What’s going on here is really damage limitation. It’s not so much about limiting the damage done by the data stolen by the hackers four years ago, but minimising the damage caused by Paddy Power’s sloppy handling of the incident.
It should have warned their users about the security breach back in 2010, and advised them to review passwords and security questions/answers as a precaution. At the same time Paddy Power could have warned users about the risks of bogus emails and fraud connected with the personal data (names, dates of birth, addresses) that might have fallen into the hands of cybercriminals.
And they should have informed the data protection commissioners four years ago too.
Waiting four years to tell your customers and the authorities that your company has suffered a security breach isn’t just sloppy, it seems downright irresponsible to me.
It should have shared the bad news much earlier, and not tried to hide it away four years later on a webpage that few of its customers will ever visit.
This article originally appeared on the Lumension blog.