Paddy Power take action on 2010 data breach

If you are a long time time customer of Paddy Power (joined pre-2010) and you’re sick to death of all the annoying spam email you get from other (probably less reputable) casinos, then this story will interest you.

It has hit the headlines just recently, but has been festering since 2010.

Back then, an as yet unnamed hacker from Malta managed to get his/her hands on certain information contained in a Paddy Power customer database. Financial  details (credit card numbers etc) or passwords weren’t compromised, a fact that Paddy Power have been at pains to emphasise, but the contact details…name, email, address and dates of birth of around 650,000 customers were.

As you can imagine, this list of stolen email addresses has been doing the rounds for the last four years or so among ‘database brokers’ (the bottom feeders of the online gambling world), touted for sale over and over again as a valuable marketing commodity.  One such broker, a Canadian man named Jason Ferguson got a nasty surprise last month when representatives of Paddy Power paid him a visit armed with court orders enabling a search of his computer equipment and bank accounts. The stolen data was found and wiped.

Earlier Ferguson had been negotiating the sale of the stolen data to a buyer in the UK. €7,600 was the asking price. But the buyer was never going to pay – he was actually a UK data breach specialist hired by Paddy Power.

Ferguson claims that a yet to be identified hacker in Malta is the original source of the files he was trying to sell.  “I bought lots of data for marketing but I did not hack anything,” he told Bloomberg.  He also said,

“I thought I was acting within the realm of legality…Is it ethical? Should I have had the data? To my knowledge, there’s no precedent.”

Disappointingly, he won’t be prosecuted for acquiring and trying to sell the stolen data.

Out of respect to all of us who have been on the receiving end of piles (either definition applies here) of online gambling spam email over the years, then at the very least I reckon Mr Ferguson and any other sellers of such databases should be sentenced to a term of extreme annoyance. Say 6 months locked in house with Justin Bieber; the only other contact allowed with the outside world being phone calls from salespeople trying to sell them stuff they don’t want.

For their part, Paddy Power went public on the breach about 4 years after it occurred, and probably close to 4 years after they became aware of it. They released a statement on their website and began contacting affected customers earlier this month. They say they’ve tightened up security with a £4m investment in IT security systems in recent years.

Spokesperson Peter O’Donovan had the following to say on the matter:

“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach…We are communicating with all of the people whose details have been compromised to tell them what has happened.”

Case closed.

Apart from the hundreds of spammers still bulk mailing to this database.