DUBLIN – Irish betting company Paddy Power announced Thursday it is notifying hundreds of thousands of customers that most of their profile information was stolen in 2010, but hackers did not gain their credit card details or log-in passwords.
Paddy Power defended its four-year delay in reporting the biggest security breach in the company’s history by arguing that it didn’t know most of the details until much more recently. Online security experts said the fast-growing betting firm should have alerted its customers much sooner.
The Dublin-based company said it had known since 2010 that someone tried to hack into its customers’ online accounts and monitored for any signs of fraud or theft, but found no evidence this was happening.
It said it received a tipoff in May that a Toronto-based man had an archive of Paddy Power customers’ names, usernames, addresses, emails, phone numbers, birthdates and security questions, including the mothers’ maiden names — details useful to impersonate the customers and potentially crack into their personal accounts on other sites.
The company said it secured two Canadian court orders in July ordering the man to surrender his database and permit police searches of his IT equipment and financial records. The man, who was questioned by police, has yet to be charged with any crime.
The company said it is sending emails to 649,055 customers — representing nearly 30 percent of its online gamblers in 2010 — advising them to consider changing their security question on all online accounts.
“We sincerely regret that this breach occurred and we apologize to people who have been inconvenienced as a result,” said Peter O’Donovan, managing director of online operations.
Internet security experts said Paddy Power customers could be targeted by “spear-phishers” asking them to change their passwords in hopes of receiving their new log-in credentials.
Maksym Schipka, an information security specialist at British cybersecurity firm Clearswift, said the four-year failure to identify what data had been stolen suggests “a huge failure on Paddy Power’s behalf to maintain control and protection of its users’ critical information.”
But investors shrugged off the news, sending Paddy Power shares nearly 1 percent higher to €52.76 ($54.10) in Dublin.