After Australian retailer Catch of the Day revealed that it had suffered a security incident in 2011 and only informed users three years on, a business closer to home has done something similar.
In a statement, Paddy Power’s CEO said that it also suffered an incident in 2010 which did not compromise any financial information or customer passwords, and that no user accounts were adversely impacted. The incident has become public when Paddy Power took legal action in Canada, with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual. It was notified in May 2014 and subsequently pro-actively contacted 649,055 affected customers on this issue.
The bookmaking giant said that it detected malicious activity in an attempted breach of its data security system in 2010, but a detailed investigation determined that no financial information or customer passwords had been put at risk. So how come this has come to light now, and how good was that investigation? We got these responses from the industry
George Anderson, Director at Webroot
“It’s shocking to see that Paddy Power has waited over four years to inform its users of the cyber-attack on the company – joining the ranks of eBay and Orange France that also waited far too long between a breach and public disclosure. Waiting four years isn’t just irresponsible, it’s senseless.
“Since hackers don’t discriminate and any company can become a victim, this practice is becoming a worrying trend. The stakes are high – keeping your company’s name out of the headlines shouldn’t be your priority, it should be dealing with the attack effectively and in a timely manner. The very first step in a situation like this is always to inform customers as soon as possible, as any data that is stolen can be used for phishing attacks. This should become best practice for any type of breach, even those where investigation has shown no confidential data has been actually compromised – it’s late to advise people to “change your prompted question and answer on other sites” as a security measure four years after.
“Companies have a responsibility to protect their customers as best they can, since their relationship often relies on mutual trust – and informing them of a breach, where their data could have been compromised is the right thing to do.”
Maksym Schipka, information security specialist and SVP Engineering at Clearswift
“Today’s announcement of a massive data breach at gambling firm Paddy Power is of a huge concern due to the company’s failure to publicly disclose the attack, having allegedly had knowledge of it since 2010. It implies a huge failure on Paddy Power’s behalf to maintain control and protection of its users’ critical information – which includes names, addresses, dates of birth, and even the maiden names of mothers and communicate the breach to its many customers, who have been at risk for all of this time.
“A breach on this scale, combined with the lack of transparency demonstrated by the company will certainly affect its professional reputation. Similar to the recent eBay cyber-attack, it is not yet clear as to why the company has waited until now, four years later, to tell its customers and also confirm how the breach occurred, so the true extent of the data loss is potentially not yet known.
“The effect of this information including personal data of many people taking part in gambling activities falling into the wrong hands should not be under-estimated. Today’s disclosure opens up further opportunities for those in possession of this data including launching further spear-phishing activities luring people to change passwords with a view of stealing current credentials. Moreover, the statement from the company informing public that the company is very confident in their current security systems may still point at a lack of understanding of the complexities and sophistication of modern cybercriminals, which require adequate critical information protection solutions in place underpinned by a well thought-through set of policies and processes that are regularly reviewed and tested.”
Troy Gill, senior security analyst at AppRiver
“There is no need for panic here since no financial or password info has actually been exposed. It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username. Of course these events at the very least serve as a great reminder to keep up good security practices – utilising different passwords for each account – even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road. However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed.
“As more disclosure laws are being implemented all the time, I expect to see an upward trend in data breach disclosures over the near future. In this case it appears they only recently verified that the data had actually been stolen back in 2010.”
David Harley, ESET Senior Research Fellow
“Intentional long-term non-disclosure is not new. In fact, the trend recently has been away from that because in several jurisdictions non-disclosure may incur legal sanctions if it’s not in the interest of its customers. Even before that, some companies found that the sky didn’t fall if they advised their customers that they were potentially affected by a breach, and that some of those customers even appreciated it. It may be, though, that in the light of some recent cases, companies will be less likely to volunteer information until it becomes necessary, for fear of inviting legal action, especially class actions.
“For a customer, if your service provider drops the ball, it doesn’t matter how good your password is. Without getting into what you need to do in individual cases (which will vary hugely), it’s sensible never to assume that the provider will provide you with perfect protection. If they let you know, act on it. If you’re not aware of any issues, it
still makes sense to provide yourself with the best protection you can inany instance where your data matters (is sensitive). Don’t share passwords across sensitive accounts, use alternative/augmentative technologies (eg multi-factor authentication) where it’s available.”