Poker News

If someone did you wrong but you never knew about it, did they still do you wrong? If the act never actually hurt you, was it still a problem? What if it happened four years ago? Is there a statute of limitations for being furious?

Those may sound like stupid questions, but they could be some of the things that hundreds of thousands of poker players may be thinking about right now. On Thursday, online gambling firm Paddy Power revealed that it was the victim of a “historical” data breach. More importantly, though, a gigantic number of Paddy Power customers – 649,055 to be exact – were victimized, as they had some of their personal account information stolen by hackers.

It is an odd case, leading to questions as to whether Paddy Poker was negligent in its original investigation and response, or if it was just a case of the company being victimized when it did its best to protect its data. In a press release, Paddy Power said that it detected “malicious activity in an attempted breach of its data security system” back in 2010. It investigated the matter and determined that no highly sensitive data such as customer financial information or passwords were accessed, but that it still “suspected that some non-financial customer information may have been exposed.”

Curiously, though, Paddy Power never alerted its players that this occurred. It was not until this past May that the company brought any of this to light, and it still wasn’t the customers who were contacted. Poker news site Flushdraw.net contacted the Irish Data Protection Commissioner about the issue, to which it replied:

On the 12th May, 2014 Paddy Power notified this Office of a data security breach in accordance with our Personal Data Security Breach Code of Practice. This Office then launched an investigation into the matter…

We understand Paddy Power had identified the attack back in October 2010 and implemented security measures to stop the attack. Following discussions, this Office is satisfied with the measures implemented by Paddy Power to prevent a repeat of this type of incident. In line with our approach to data breaches generally, we have advised the organisation to notify affected individuals and we understand that Paddy Power is commencing that process today.  This Office would recommend that affected individuals follow the advice given by Paddy Power to change their security questions on any other sites where they may have been used.

Our investigation of this matter is continuing and we anticipate that further recommendations will issue from this Office to Paddy Power in relation to security of data.

According to Paddy Power, data that was compromised contained customers’ names, addresses, phone numbers, e-mail addresses, birth dates, and security questions and answers.

It is not known why Paddy Power never addressed the situation publicly in 2010, though one might speculate that it was because they thought they could get away with keeping it a secret. If no login or financial information was stolen, Paddy Power may have felt that the chances of anything truly malicious happening was low, so if it just made sure this could never happen again, it would be fine. What customers don’t know won’t hurt them. But this May, all that had a chance of blowing up, as, according to the press release, the company was advised “that an historical customer dataset was in the possession of an identified individual in Canada.”

At that point, Paddy Power contacted An Garda Siochána, the Irish police force, as well as the Office of the Data Protection Commissioner. Along with the Ontario Provincial Police, Paddy Power was able to seize the mystery individual’s computers, recover the stolen data, and examine his financial transactions. That is when Paddy Power officially determine the great extent of the heist.

Paddy Power’s Peter O’Donovan addressed the situation in the press release, saying:

We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result. We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.

Leave a Comment

Your email address will not be published. Required fields are marked *