In-depth

How Paddy Power gambled against its customers' security

Davey Winder lets rip over Paddy Power's decision to tell customers about a data breach that happened four years ago...

A notice appeared on the Paddy Power corporate website at the end of last week, which confirmed details of a "historical data breach".

It boldly stated that no financial information or customer passwords were accessed during the breach, and a full investigation had revealed no adverse impact upon customer accounts.

So that's cool then, right? Well not really, Paddy. The clue is in the use of the word 'historical' which could easily be replaced by hysterical were this actually not at all funny. You see, as IT Pro reported, the breach itself took place in 2010.

I've got a bit of a bee in my bonnet about responsible disclosure when it comes to data breaches, and my definition of responsible incorporates two important strands: informing the customer while not impeding the investigation.

I therefore appreciate that sometimes an immediate notification is not possible as this disclosure could impede an investigation. Likewise, I don't recommend the knee jerk disclosure practise of coming clean before you know what has happened, who has been impacted and to what degree.

Telling customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

Too soon is as bad as too late, and only serves to confuse customers. In all but the most complex cases 'too soon' does not extend beyond 24 hours.

Waiting four years before announcing a breach is like backing a 1000/1 shot to win the race; you may get away with it and come out smiling but the odds are set against you. When it is the reputation of your company and your brand that you are gambling with (and the ongoing security of your customers) I'm pretty certain this isn't a sensible thing to do.

In the Paddy Power statement, the company says that the full extent of the breach only became known to it 'in recent months' following a legal case in Canada.

Now it turns out this involved an allegation in May this year that some "historical data" had fallen into the hands of someone who shouldn't have it. The legal system retrieved that dataset and a forensic investigation, which began in July, showed information relating to nearly 650,000 customers had been compromised in 2010.

Ah, you may be thinking, that changes everything as the company didn't actually know about the breach until three months ago and it was not confirmed until three weeks ago. You would be wrong.

Paddy Power admits that it had "detected malicious activity in an attempted breach of its data security system in 2010" and it "suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken."

Yet it did not feel it necessary to inform those 650,000 customers of this breach apparently. It has taken four years for that feeling to emerge. This, frankly, shows an outrageous disregard for customers. Telling those customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

It's so farcical that it almost beggars belief, especially when the compromised data apparently included email addresses and answers to security questions. Just the kind of data the bad guys want in order to access other accounts.

Roll on when the EU finally pulls its finger out and its Data Protection Regulations make it absolutely clear cut and mandatory that breaches are disclosed within a sensible timeframe. The current drafts suggest 72 hours, even that's too long.

In most cases a 24-hour window will be long enough to close the holes, secure the networks and ensure both customer data and forensic evidence are preserved. 

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

IBM: Hackers are targeting COVID-19 vaccine 'cold chain'
Security

IBM: Hackers are targeting COVID-19 vaccine 'cold chain'

3 Dec 2020
GitHub: Open source vulnerabilities can go undetected for four years
Security

GitHub: Open source vulnerabilities can go undetected for four years

3 Dec 2020
What is shoulder surfing?
Security

What is shoulder surfing?

2 Dec 2020
Security benefits of open virtualised RAN
Whitepaper

Security benefits of open virtualised RAN

2 Dec 2020

Most Popular

350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020
IT Pro 20/20: Why tech can't close the diversity gap
Careers & training

IT Pro 20/20: Why tech can't close the diversity gap

1 Dec 2020