How Paddy Power gambled against its customers' security
Davey Winder lets rip over Paddy Power's decision to tell customers about a data breach that happened four years ago...
A notice appeared on the Paddy Power corporate website at the end of last week, which confirmed details of a "historical data breach".
It boldly stated that no financial information or customer passwords were accessed during the breach, and a full investigation had revealed no adverse impact upon customer accounts.
So that's cool then, right? Well not really, Paddy. The clue is in the use of the word 'historical' which could easily be replaced by hysterical were this actually not at all funny. You see, as IT Pro reported, the breach itself took place in 2010.
I've got a bit of a bee in my bonnet about responsible disclosure when it comes to data breaches, and my definition of responsible incorporates two important strands: informing the customer while not impeding the investigation.
I therefore appreciate that sometimes an immediate notification is not possible as this disclosure could impede an investigation. Likewise, I don't recommend the knee jerk disclosure practise of coming clean before you know what has happened, who has been impacted and to what degree.
Telling customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.
Too soon is as bad as too late, and only serves to confuse customers. In all but the most complex cases 'too soon' does not extend beyond 24 hours.
Waiting four years before announcing a breach is like backing a 1000/1 shot to win the race; you may get away with it and come out smiling but the odds are set against you. When it is the reputation of your company and your brand that you are gambling with (and the ongoing security of your customers) I'm pretty certain this isn't a sensible thing to do.
In the Paddy Power statement, the company says that the full extent of the breach only became known to it 'in recent months' following a legal case in Canada.
Now it turns out this involved an allegation in May this year that some "historical data" had fallen into the hands of someone who shouldn't have it. The legal system retrieved that dataset and a forensic investigation, which began in July, showed information relating to nearly 650,000 customers had been compromised in 2010.
Ah, you may be thinking, that changes everything as the company didn't actually know about the breach until three months ago and it was not confirmed until three weeks ago. You would be wrong.
Paddy Power admits that it had "detected malicious activity in an attempted breach of its data security system in 2010" and it "suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken."
Yet it did not feel it necessary to inform those 650,000 customers of this breach apparently. It has taken four years for that feeling to emerge. This, frankly, shows an outrageous disregard for customers. Telling those customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.
It's so farcical that it almost beggars belief, especially when the compromised data apparently included email addresses and answers to security questions. Just the kind of data the bad guys want in order to access other accounts.
Roll on when the EU finally pulls its finger out and its Data Protection Regulations make it absolutely clear cut and mandatory that breaches are disclosed within a sensible timeframe. The current drafts suggest 72 hours, even that's too long.
In most cases a 24-hour window will be long enough to close the holes, secure the networks and ensure both customer data and forensic evidence are preserved.