Are KYC requirements increasing cybercrime risks in iGaming?

Know Your Customer (KYC) requirements have become a fundamental part of regulation within the online gambling industry.

KYC measures are intended to counteract fraud, money laundering, underage gambling, and terrorist financing by requiring operators to gather and verify substantial personal information. Names, address verification docs, payment details and copies of passports or driver’s licenses all form part of the KYC information pile.

At first glance, the justification seems clear: gambling platforms turnover millions and are at risk of being exploited by criminals. However, while enhancing regulatory compliance these processes also introduce new risks. By requiring the collection and storage of highly sensitive personal data on a large scale, KYC frameworks can increase the potential for cybercriminal exploitation.

This inherent conflict fuels a key debate: do KYC requirements truly safeguard users, or do they unintentionally expose them to greater threats when security systems backfire?

Recent high profile breaches

In recent years, the online gambling industry has proven to be vulnerable to significant cyber incidents underscoring the risks associated with handling vast amounts of sensitive user data.

In 2022 BetMGM announced a breach where attackers gained access to a database containing critical user information, including names, contact details, birth dates, and hashed social security numbers. The incident compromised the data of over 1.5 million users, drawing attention to the extensive personal records stored by gambling platforms.

Another notable breach occurred in 2025, affecting up to 800,000 customer of Paddy Power and Betfair. Although no financial or ID records were exposed, details such as IP addresses, partial addresses and device IDs were leaked. The kind of information that could see affected customers become the target of phishing or social engineering schemes.

Even more concerning are breaches involving complete KYC records. Just recently crypto-gambling platform Shuffle announced a major data breach after their CRM provider was hacked. This breach not only exposed personal details and transaction records but also included sensitive identity verification documents like passports and driver’s licenses.

Vulnerabilities resulting from KYC requirements

KYC obligations inherently require the centralisation of sensitive personal data. This creates what cybersecurity experts describe as ‘data concentration risk’: the more valuable information stored in one place, the more attractive the target becomes.

Regulated iGaming operators must collect from customers highly sensitive personal information including:

• government-issued ID documents
• proof of address documents
• payment and banking information
• behavioural and transaction histories

When aggregated, this forms a highly detailed identity profile, more comprehensive than what is requested by most other e-commerce services. What’s more, cybercriminals know that regulated iGaming operators are required to hold all of this information making them something of a honey pot.

A 2023 report from cybersecurity firm Trend Micro bluntly stated, these “gold mines” are uniquely attractive because a single breach, “can yield complete identity packages ready for exploitation, from credit card fraud to account takeovers to full-scale identity theft.”

KYC requirements transforms gambling platforms into repositories of highly sensitive identity data, similar to what financial institutions like banks hold. But while banks are well resourced to deal with these risks, not all online gambling firms are.

Ironically, KYC rules designed to combat criminality and reduce player harm could be increasing player risk.

KYC here to stay

Despite the risks KYC brings, the overwhelming weight of opinion from regulators seems to be that the benefits far outweigh the risks. There is little appetite for watering down requirements.

A 2024 strategic assessment by the G7’s anti-money laundering watchdog (Financial Action Task Force), re-emphasised that robust KYC is ‘the fundamental and non-negotiable anchor’ for preventing online operators from becoming financial conduits for organised crime and terrorist financing.

This position was backed by a 2023 UK Gambling Commission review that found stringent KYC checks were directly responsible for identifying and suspending thousands of accounts used for fraud or by under-age and vulnerable individuals.

The Commission did concede that KYC creates vulnerabilities. But their conclusion was that the absence of KYC would lead to far more immediate and widespread harm.