Vertical Markets

Outrage at Paddy Power

by Mark Rowe

The Irish bookmaker Paddy Power disclosed that near 650,000 customers had their personal data stolen during a cyber attack in 2010. The company, which disclosed the breach to the Office of the Data Protection Commissioner and An Garda Siochána in Ireland, stated that no financial information or passwords were accessed by the cyber criminals. Names, usernames, addresses, email addresses, phone numbers and security questions and answers were lost. The company reports that it has since invested more than 4m euros in IT security.

Ross Brewer, vice president and managing director for international markets at IT security product firm LogRhythm commented: “It is absolutely outrageous that Paddy Power is only now revealing a breach that took place four years ago. It’s now telling the affected customers to review their passwords, if they use the same one for multiple sites – but four years later, it’s likely to be a case of too little, too late.

“Today security breaches are all too common and organisations should be compelled to reveal any attempts as soon as they occur – particularly when customer data is stolen. With 650,000 names and addresses, there is a whole host of frequent activity the thieves could carry out, especially when the victims are kept in the dark. What is more, with the answers to security questions at their fingertips, it is likely the hackers would be able to access other online accounts, which could include business related accounts. This is yet another example of why the government needs to act now to pass mandatory data breach disclosure laws for any company that holds personal information.

“Of course, these organisations must first have the ability to identify any potential threats immediately and with huge volumes of data being processed every day, this is no easy task. It requires constant visibility into every single piece of activity across the network and the ability to understand, and baseline, ‘normal’ activity. Not only does such insight increase the chances of stopping an attack, but also allows organisations to inform customers far earlier – thus containing the damage. The public already don’t trust organisations to keep their data safe and by failing to disclose breaches, businesses are taking a serious gamble with their reputation.”

And Paul Ayers, VP EMEA, at data security product firm Vormetric said: “There are two key takeaways from today’s revelation that Paddy Power suffered a data breach in 2010. First, given the scale of the numbers involved and type of data stolen – names, addresses, dates of birth, and security question answers of some 649,000 customers – it is clear a database was at the heart of the attack. Second, is the fact that it took some four years for the event to be made public.

“Businesses continue to be targeted for customer’ data, and must appreciate the value of the sensitivity of the information they collect – and today’s events will add further weight to the mandate for tighter breach notification laws. Given the most recent draft of the proposed EU Data Protection Regulation stipulates that data controllers are obliged to notify the relevant privacy regulator of a breach within a 72 hour period, businesses across the board need to be ready to respond to breach incidents much faster.”

Mark James, technical team leader at ESET, spoke of the importance of notifying customers as soon as possible: “It is imperative not only for customer relations but for security sake that these breaches are reported to the end users as soon as possible. I understand there are a set of guidelines the ICO impose regarding notifying them (24 hours) and the public (no time frame) but I personally believe the damage is much worse the longer you leave it. Paddy Power state that they have “not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way” but often the data is not used for that purpose – it’s the basis for other activities and that’s why the end users need to be informed as soon as possible.

“649,055 users pieces of potential data that can be used to gain access to other online accounts inc customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answers is always an issue. The only thing we the end user can do to mitigate the damage is to change the password if used on other sites but it’s also things like secret questions and answers. If we are aware of the breach we can ensure these answers are not used in the future.”

Troy Gill, senior security analyst at AppRiver said customers shouldn’t panic: “There is no need for panic here since no financial or password info has actually been exposed. It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username. Of course these events at the very least serve as a great reminder to keep up good security practices – utilising different passwords for each account – even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road. However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed. As more disclosure laws are being implemented all the time, I expect to see an upward trend in data breach disclosures over the near future. In this case it appears they only recently verified that the data had actually been stolen back in 2010.”

And David Harley, ESET Senior Research Fellow, said: “Intentional long-term non-disclosure is not new. In fact, the trend recently has been away from that because in several jurisdictions non-disclosure may incur legal sanctions if it’s not in the interest of its customers. Even before that, some companies found that the sky didn’t fall if they advised their customers that they were potentially affected by a breach, and that some of those customers even appreciated it. It may be, though, that in the light of some recent cases, companies will be less likely to volunteer information until it becomes necessary, for fear of inviting legal action, especially class actions.

“Using different passwords is still best practice, and essential when it comes to sites where sensitive data such as banking info is concerned, despite Some people (notably in a recent Microsoft paper) who argue that this is overkill in some instances. For a customer, if your service provider drops the ball, it doesn’t matter how good your password is. Without getting into what you need to do in individual cases (which will vary hugely), it’s sensible never to assume that the provider will provide you with perfect protection. If they let you know, act on it. If you’re not aware of any issues, it still makes sense to provide yourself with the best protection you can in any instance where your data matters (is sensitive). Don’t share passwords across sensitive accounts, use alternative/augmentative technologies (eg multi-factor authentication) where it’s available.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing