Sports betting firm Betfair is risking the wrath of its customer base, after it was revealed that the company failed to notify customers of a major credit card data theft 18 months ago.
According to reports, Betfair disclosed in an internal report that between 28 March 2010 and 9 April 2010, cyber criminals stole 3.15 million account usernames with encrypted security questions, 2.9 million usernames with one or more addresses and 89,744 account usernames with bank account details.
Customer accounts that existed at 1 February 2010 were affected, yet Betfair made no move to inform customers of the breach because it decided that there was “no risk to customers”.
The company said in a statement: “Eighteen months ago we were subject to an attempted data theft. Because of our security measures the data was unusable for fraudulent activity and we were able to recover the data intact. At the time, we contacted all the relevant authorities and worked closely with them regarding this matter and it was established that there was no risk to customers.”
It was forced to inform the UK Serious Organised Crime Agency (SOCA), the German law enforcement agencies, and the Australian Federal Police. It also notified the Royal Bank of Scotland, which was responsible for accepting card payments made via Betfair.
The incident, described in an internal report called ‘Project Brazil Progress Report’, calls into question Betfair’s security monitoring systems, as it did not discover the breach for two months after the initial attack. Hackers breached the company’s systems on 14 March 2010, but it was only a server crashing at a data centre in Malta that alerted the company to the attack.
A report on the crime by consultants Information Risk Management described Betfair’s IT security as insufficient. “Information security was not implemented in accordance with best practice. Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks,” the report stated.
Earlier this summer, online bookmaker Bet24.com warned punters that their personal data may have been exposed during a security breach, nearly two years after the hack attack was thought to have taken place.
Related stories
Bet24 admits breach – 2 years on
