Almost 650,000 customers of gambling firm Paddy Power had their personal data stolen during a cyber-attack on its IT systems back in 2010, the company has warned.
Paddy Power uncovered the breach with the assistance of Ontario Provincial Police in Canada, after it took legal action to retrieve a stolen dataset from an unnamed individual.
It has now taken steps to disclose the breach to the Office of the Data Protection Commissioner and An Garda Siochána in Ireland, and is contacting 649,055 affected customers, all of whom held online accounts with Paddy Power.
In a statement, Paddy Power insisted no customers’ financial information or passwords were accessed, and said it had found no evidence that any accounts were accessed.
Customers who have opened accounts since 2010 were not affected either, it said.
However, it said missing data included real names, usernames, addresses, email addresses, phone contact numbers, and prompted security questions and answers.
Paddy Power urged affected customers to review other sites where they may have used the same prompted question and answer for security purposes, and update that information where appropriate.
Paddy Power online managing director Peter O’Donovan apologised to customers affected by the breach.
- Security Think Tank: Ready for your data breach moment?
- European retail data breaches largely hidden, SC Congress hears
- UK micro businesses unprepared for data breaches, study shows
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.”
He added: “Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”
O’Donovan said Paddy Power has since invested over €4m in its IT security systems.
Mark James, technical team lead at security supplier ESET, said the breach demonstrated the importance of notifying customers about data breaches as soon as possible.
“The only thing the users can do to mitigate the damage is to change the password if used on other sites, but it’s also things like secret questions and answers. If we are aware of the breach we can ensure these answers are not used in the future.”
AppRiver senior security analyst Troy Gill said it was reasonable to see Paddy Power’s disclosure as symptomatic of an upward trend as more and tougher disclosure laws are implemented around the world.