How Paddy Power gambled against its customers' security

Davey Winder lets rip over Paddy Power's decision to tell customers about a data breach that happened four years ago...

A notice appeared on the Paddy Power corporate website at the end of last week, which confirmed details of a "historical data breach".

It boldly stated that no financial information or customer passwords were accessed during the breach, and a full investigation had revealed no adverse impact upon customer accounts.

Advertisement - Article continues below

So that's cool then, right? Well not really, Paddy. The clue is in the use of the word 'historical' which could easily be replaced by hysterical were this actually not at all funny. You see, as IT Pro reported, the breach itself took place in 2010.

I've got a bit of a bee in my bonnet about responsible disclosure when it comes to data breaches, and my definition of responsible incorporates two important strands: informing the customer while not impeding the investigation.

I therefore appreciate that sometimes an immediate notification is not possible as this disclosure could impede an investigation. Likewise, I don't recommend the knee jerk disclosure practise of coming clean before you know what has happened, who has been impacted and to what degree.

Telling customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

Advertisement - Article continues below
Advertisement - Article continues below

Too soon is as bad as too late, and only serves to confuse customers. In all but the most complex cases 'too soon' does not extend beyond 24 hours.

Waiting four years before announcing a breach is like backing a 1000/1 shot to win the race; you may get away with it and come out smiling but the odds are set against you. When it is the reputation of your company and your brand that you are gambling with (and the ongoing security of your customers) I'm pretty certain this isn't a sensible thing to do.

In the Paddy Power statement, the company says that the full extent of the breach only became known to it 'in recent months' following a legal case in Canada.

Now it turns out this involved an allegation in May this year that some "historical data" had fallen into the hands of someone who shouldn't have it. The legal system retrieved that dataset and a forensic investigation, which began in July, showed information relating to nearly 650,000 customers had been compromised in 2010.

Advertisement - Article continues below

Ah, you may be thinking, that changes everything as the company didn't actually know about the breach until three months ago and it was not confirmed until three weeks ago. You would be wrong.

Paddy Power admits that it had "detected malicious activity in an attempted breach of its data security system in 2010" and it "suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken."

Yet it did not feel it necessary to inform those 650,000 customers of this breach apparently. It has taken four years for that feeling to emerge. This, frankly, shows an outrageous disregard for customers. Telling those customers to change passwords now, four years later, is akin to someone trying to place a bet on a race that's already ran.

It's so farcical that it almost beggars belief, especially when the compromised data apparently included email addresses and answers to security questions. Just the kind of data the bad guys want in order to access other accounts.

Advertisement - Article continues below

Roll on when the EU finally pulls its finger out and its Data Protection Regulations make it absolutely clear cut and mandatory that breaches are disclosed within a sensible timeframe. The current drafts suggest 72 hours, even that's too long.

In most cases a 24-hour window will be long enough to close the holes, secure the networks and ensure both customer data and forensic evidence are preserved. 

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020

The top 12 password-cracking techniques used by hackers

12 Jun 2020