Irish bookmaker Paddy Power hacked and personal details of 649,000 customers stolen in 2010. Advises customers in late July 2014

August 3, 2014 |

In the new world of privacy regulation and enforcement in Australia the issue of cyber security, or APP 11 under the Privacy Act 1988 goes further than maintaining adequate firewalls, passwords and anti virus software.  How data is stored, how personal information is secured behind the outer defences of an organisations internet interface can be as important as those defences themselves.  The law of averages suggests that at some stage an organisation which is a tempting target to cyber criminals will find its defences breached by either a hack or social engineering.  The issue then is whether data is encrypted, whether personal information is stored in such a way as to be difficult to match by an opportunistic thief and whether there are systems in place to detect unauthorised access.  In many organisations those issues are rarely considered let alone properly implemented. In Australia there is no mandatory data breach notification regime. That assists organisations in avoiding making potentially embarrassing disclosures and gives a false sense of the problem with data security that, if overseas experience is any judge, is quite significant.  It also contributes to a laxity by organisations in properly protecting themselves and, more particularly, the personal information of clients they hold.

The Guardian in Paddy Power admits personal details of 649,000 customers were stolen in 2010 highlights all of these issues in other jurisdiction.  The bookmaker’s site was hacked and personal information stolen.  It was only when it was informed in May 2014 that it became aware of the intrusion.  Then it waits 2+ months before it informs customers.  That bespeaks woeful data security practices on a range of levels.

The article provides:

Irish bookmaker Paddy Power has revealed its website was hacked in 2010 and personal details of more than 649,000 customers stolen.

The breach was revealed on Thursday as the bookie wrote to inform customers of the incident.

The stolen data included names, addresses, dates of birth, and details of the question and answer prompts often used to verify account details. However, the company said that no personal financial information had been taken.

Peter O’Donovan, managing director of Paddy Power’s online division, said: “We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result. We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach.”

The bookmaker was advised in May 2014 that some of its data was in the possession of an identified individual in Canada, and the company alerted An Garda Síochána, the Irish police force. The Canadian individual’s IT assets have since been seized via a court order and with the assistance the Ontario police.

In March Paddy Power said it had 1.9 million active online customers, up 19% on the previous year. Like many bookmakers, it is experiencing an online boom. In 2013, it won €473m (£375m) from online punters, an increase of 21%.

One Response to “Irish bookmaker Paddy Power hacked and personal details of 649,000 customers stolen in 2010. Advises customers in late July 2014”

  1. Irish bookmaker Paddy Power hacked and personal details of 649,000 customers stolen in 2010. Advises customers in late July 2014 | Australian Law Blogs

    […] Irish bookmaker Paddy Power hacked and personal details of 649,000 customers stolen in 2010. Advises… […]

Leave a Reply