In-depth

How Paddy Power gambled against its customers' security

Davey Winder lets rip over Paddy Power's decision to tell customers about a data breach that happened four years ago...

A notice appeared on the Paddy Power corporate website at the end of last week, which confirmed details of a "historical data breach".

It boldly stated that no financial information or customer passwords were accessed during the breach, and a full investigation had revealed no adverse impact upon customer accounts.

So that's cool then, right? Well not really, Paddy. The clue is in the use of the word 'historical' which could easily be replaced by hysterical were this actually not at all funny. You see, as IT Pro reported, the breach itself took place in 2010.

I've got a bit of a bee in my bonnet about responsible disclosure when it comes to data breaches, and my definition of responsible incorporates two important strands: informing the customer while not impeding the investigation.

I therefore appreciate that sometimes an immediate notification is not possible as this disclosure could impede an investigation. Likewise, I don't recommend the knee jerk disclosure practise of coming clean before you know what has happened, who has been impacted and to what degree.

Telling customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

Too soon is as bad as too late, and only serves to confuse customers. In all but the most complex cases 'too soon' does not extend beyond 24 hours.

Waiting four years before announcing a breach is like backing a 1000/1 shot to win the race; you may get away with it and come out smiling but the odds are set against you. When it is the reputation of your company and your brand that you are gambling with (and the ongoing security of your customers) I'm pretty certain this isn't a sensible thing to do.

In the Paddy Power statement, the company says that the full extent of the breach only became known to it 'in recent months' following a legal case in Canada.

Now it turns out this involved an allegation in May this year that some "historical data" had fallen into the hands of someone who shouldn't have it. The legal system retrieved that dataset and a forensic investigation, which began in July, showed information relating to nearly 650,000 customers had been compromised in 2010.

Ah, you may be thinking, that changes everything as the company didn't actually know about the breach until three months ago and it was not confirmed until three weeks ago. You would be wrong.

Paddy Power admits that it had "detected malicious activity in an attempted breach of its data security system in 2010" and it "suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken."

Yet it did not feel it necessary to inform those 650,000 customers of this breach apparently. It has taken four years for that feeling to emerge. This, frankly, shows an outrageous disregard for customers. Telling those customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

It's so farcical that it almost beggars belief, especially when the compromised data apparently included email addresses and answers to security questions. Just the kind of data the bad guys want in order to access other accounts.

Roll on when the EU finally pulls its finger out and its Data Protection Regulations make it absolutely clear cut and mandatory that breaches are disclosed within a sensible timeframe. The current drafts suggest 72 hours, even that's too long.

In most cases a 24-hour window will be long enough to close the holes, secure the networks and ensure both customer data and forensic evidence are preserved. 

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021