In-depth

How Paddy Power gambled against its customers' security

Davey Winder lets rip over Paddy Power's decision to tell customers about a data breach that happened four years ago...

A notice appeared on the Paddy Power corporate website at the end of last week, which confirmed details of a "historical data breach".

It boldly stated that no financial information or customer passwords were accessed during the breach, and a full investigation had revealed no adverse impact upon customer accounts.

So that's cool then, right? Well not really, Paddy. The clue is in the use of the word 'historical' which could easily be replaced by hysterical were this actually not at all funny. You see, as IT Pro reported, the breach itself took place in 2010.

I've got a bit of a bee in my bonnet about responsible disclosure when it comes to data breaches, and my definition of responsible incorporates two important strands: informing the customer while not impeding the investigation.

I therefore appreciate that sometimes an immediate notification is not possible as this disclosure could impede an investigation. Likewise, I don't recommend the knee jerk disclosure practise of coming clean before you know what has happened, who has been impacted and to what degree.

Telling customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

Too soon is as bad as too late, and only serves to confuse customers. In all but the most complex cases 'too soon' does not extend beyond 24 hours.

Waiting four years before announcing a breach is like backing a 1000/1 shot to win the race; you may get away with it and come out smiling but the odds are set against you. When it is the reputation of your company and your brand that you are gambling with (and the ongoing security of your customers) I'm pretty certain this isn't a sensible thing to do.

In the Paddy Power statement, the company says that the full extent of the breach only became known to it 'in recent months' following a legal case in Canada.

Now it turns out this involved an allegation in May this year that some "historical data" had fallen into the hands of someone who shouldn't have it. The legal system retrieved that dataset and a forensic investigation, which began in July, showed information relating to nearly 650,000 customers had been compromised in 2010.

Ah, you may be thinking, that changes everything as the company didn't actually know about the breach until three months ago and it was not confirmed until three weeks ago. You would be wrong.

Paddy Power admits that it had "detected malicious activity in an attempted breach of its data security system in 2010" and it "suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken."

Yet it did not feel it necessary to inform those 650,000 customers of this breach apparently. It has taken four years for that feeling to emerge. This, frankly, shows an outrageous disregard for customers. Telling those customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

It's so farcical that it almost beggars belief, especially when the compromised data apparently included email addresses and answers to security questions. Just the kind of data the bad guys want in order to access other accounts.

Roll on when the EU finally pulls its finger out and its Data Protection Regulations make it absolutely clear cut and mandatory that breaches are disclosed within a sensible timeframe. The current drafts suggest 72 hours, even that's too long.

In most cases a 24-hour window will be long enough to close the holes, secure the networks and ensure both customer data and forensic evidence are preserved. 

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020