Paddy Power Data Breach

cruizer101

Just got an email from Paddy power to say that they had a data breach back in 2010, during which some customer information was accessed.

The information was, name, address, phone number, email, DOB and prompted question and answer.

It is ridiculous that this happened 4 years ago and they are only telling us about it now. Apparently the full extent of the data breach only became known to them in recent months. That is a quite a bit of information to be potentially floating around, not happy at all with this.

Spear

650,000 affected, it's on RTE now:

http://www.rte.ie/news/business/2014/0731/634264-paddy-power-data/

industrialhorse

They should have informed the public of this breach as soon as they evaluated that customer data, financially sensitive or not, was compromised. It would have put more people's minds at ease by saying no financial data was stolen but four years on, I'm sure most of us who are more privacy-aware would be sceptical of any further dealings with a company who claim they are "listening" to their customers:mad:

Khannie

cruizer101 wrote: »

It is ridiculous that this happened 4 years ago and they are only telling us about it now.

Outrageous to be honest.

Shedite27

How exactly does a company know that it's database has been breached? Are there "cyber-fingerprints" left?

dalta5billion

Shedite27 wrote: »

How exactly does a company know that it's database has been breached? Are there "cyber-fingerprints" left?

Usually when its database gets posted on a Russian forum.

Rucking_Fetard

dalta5billion wrote: »

Usually when its database gets posted on a Russian forum.

This is not a joke actually.

Sony apparently, up to a year after they got owned in 2011 still hadn't found the Breach.

Unusual Network Activity detected by Monitoring Software and the finding after the Fact of nice shiny new Malware and figuring out what it did, are other common ones.

Rucking_Fetard

The Data Protection Commissioner's Office said it was satisfied that Paddy Power had implemented measures that would prevent a repeat of the incident and that no financial data or passwords had been compromised.



The incident involved customers who had set up a booking account with the firm before 2011 and included customers' names, usernames, addresses, email addresses, phone numbers and dates of birth, as well as security questions and answers.

Email and Security Q&A, FFS, shocking really. Everything is there. Why did the attacker not use this.

They got Mothers Maiden names aswell, it's missing from that list.





And here it is why it's come out now after so long...

It said that in May of this year it was advised that some customer information was in the possession of an individual in Canada, with the full extent of the breach being revealed after it took legal action to retrieve this.
Paddy Power said it engaged with the Office of the Data Protection Commissioner on the matter, and was now in the process of contacting the 649,055 affected customers.

They hadn't a clue what was taken until this year and they did nothing, only moving before it revealed itself.

Seriously sloopy, they couldn't give a toss either. Will they even be fined? Probably not. Data P is a joke. To busy getting Boards to set up a close Account feature:rolleyes: and bending over to Facebook.


Online Gambiling should be Banned anyway. Makes it to easy for people to destroy themselves.

They should be pummeled for this, trying to protect shareprice, greedy ****s. Shareprice is actually up aswell on this. Christ.

wush06

Still no email this is the first I read of it shocking.

AnCatDubh

industrialhorse wrote: »

They should have informed the public of this breach as soon as they evaluated that customer data, financially sensitive or not, was compromised

You might expect them to. It may speak volumes about the company, their ethos and culture. However, they aren't obliged to notify anyone -- it is proposed as far as I recall but not part of current data protection legislation. There is a code of practice but it is not binding (EDIT: "This Code of Practice applies to all categories of data controllers and data processors to which the Data Protection Acts 1988 and 2003 apply"). Effective July 2011 (Breach 2010).

Through whatever decision making process they have in paddy power, the loss of 650k plus customer personal details (as is identified by them) didn't have significance worthy of notification to their customers (they appear to have been satisfied that customer account details / password / card numbers etc. weren't compromised so the rest of the stuff it appears wasn't of concern to them at the time) -- it doesn't appear clear as to what the rationale used was (if any).

Paddy Power had detected malicious activity in an attempted breach of its data security system in 2010. A detailed investigation was undertaken at the time and determined that no financial information or customer passwords had been put at risk. It was, however, suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken.

source: Paddy Power.

So, why now 4 years later do they stump up;

Paddy Power was advised in May 2014 of an allegation that an historical customer dataset was in the possession of an identified individual in Canada. The Company alerted An Garda Siochána and the Office of the Data Protection Commissioner.

same source as above.

When, through the Canadian legal system they got to seize this individuals IT stuff and got access to the data set:

The data has been examined forensically by the Paddy Power Information Security Team and the results of the examination have determined, with precision, that some personal information relating to 649,055 customers was compromised during a cyber attack on Paddy Power’s IT systems in 2010.

same source as above.

But, don't worry;

Paddy Power places a premium on having robust security systems and processes and, in recent years, has invested over €4 million in its IT security systems.

same source as above.

Nice to see though, that their share price went up by nearly 1%.

Sad thing is, tomorrow, the next day....... no one will care too much.

:rolleyes:

Rucking_Fetard

Create an Army of Raspberry Pi Honeypots on a Budget

Why Internal Honeypots?

Let’s start with a plausible scenario. A colleague opens a link from an email which promises pictures of cute puppies, but it’s actually malware which installs an advanced persistent threat (APT) malware kit. Now, the attacker has access to the compromised machine and our internal network. She begins scanning the network to start the covert information gathering process and to find additional exploitable machines.

Organizations typically focus on monitoring inbound and outbound network traffic via firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario above, a firewall will not protect or alert us.

By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor. Since there isn’t a good reason to interact with it (since it doesn’t do anything), activity on the Raspberry Pi is usually indicative of something roaming around our network and a possible security breach.

paul64

Will the affected paddy power clients be entitled to some form of compensation for this and also will paddy power lose many customers over this fiasco?

RainyDay

paul64 wrote: »

Will the affected paddy power clients be entitled to some form of compensation for this?

Compensation for what? What harm have they experienced that they can be compensated for?

industrialhorse

paul64 wrote: »

Will the affected paddy power clients be entitled to some form of compensation for this and also will paddy power lose many customers over this fiasco?

No compensation applies here but I'm sure a very small amount of customers (those who care about data protection and privacy) may close their PP account and setup with one of their many rivals in the online gambling market.

AnCatDubh

paul64 wrote: »

Will the affected paddy power clients be entitled to some form of compensation for this and also will paddy power lose many customers over this fiasco?

AFAIK, there is no provision for compensation under data protection legislation (fines to the data controller on conviction yes, but compensation to the data subject - no), however those customers affected may have a case should they become at a loss financially or otherwise through the mis placement of this data. I'm guessing the burden of proof would need to be definitive if such a case were to proceed.

The eircom/Meteor case (stolen unencrypted laptops) in recent years is such a case where they were fined in the courts in an action taken by the office of the data protection commissioner. In that case the data controllers (eircom/Meteor) lost customer and staff data through the theft of the machines.

It kinda compares - loss/theft of personal data. It will be interesting to see if the office of the data protection commissioner takes such a case against paddy power. Penalties in this regard by means of fine could be up to €100k.

timmywex

AnCatDubh wrote: »

It kinda compares - loss/theft of personal data. It will be interesting to see if the office of the data protection commissioner takes such a case against paddy power. Penalties in this regard by means of fine could be up to €100k.

100K would be peanuts to Paddy Power - worth the free advertising if nothing else. Share price is actually gone up since this was revealed yesterday :cool:

Rucking_Fetard

Rucking_Fetard wrote: »

and bending over to Facebook.

Off Topic but we can all sue Facebook now, wayhey!

Despite the fact that Austrian law doesn’t allow class action lawsuits per se, there is precedent to multiple claims being assigned to the same plaintiff. As such the suit is open to anyone who wants to join, as long as they are of age and not living in the US or Canada.


Schrems has been behind a number of lawsuits against Facebook in Ireland. Many tech companies adopt Ireland as their base of operations for Europe because of that country’s incredibly lenient tax policies. While there Schrems’ lawsuits have had quite an impact on the social networking company, forcing them to reign in their facial recognition program, and to disclose more information when the relevant user asks for it.


Despite initial success tough, Schrems has come to the conclusion the Irish authorities are dragging their feet on these lawsuits, mainly because of political pressure to not alienate the tech giants currently residing there. As such Schrems have elected to file this new suit in Austria, where there are no such issues. And due to the way the EU works, an Austrian verdict would still apply to Facebook’s Irish operations.


As mentioned above, the lawsuit is open to anyone interested. All you have to do is fill out a form and provide a form of identification. However don’t expect a massive pay out at the end. Even if everything goes according to plan and the court does rule in favour of the plaintiff the paid damages will be small because this is about enforcing privacy rights and not money.

http://www.neowin.net/news/facebook-faces-class-action-lawsuit-in-austria-over-privacy

RainyDay

Rucking_Fetard wrote: »

Off Topic but we can all sue Facebook now, wayhey!

Or to be more specific, we can all use a Facebook app to sue Facebook.

Impetus

One's personal information - DOB, name etc etc is your private property. Like money in your wallet/bank account.

If you are forced to give this to somebody else to avail of their services or by some gov agency, they have a duty of care to protect this info.

1) They should be required to indemnify you if they require your information for any costs and damages incurred by you as a result of breach of their computer systems.

2) They should be required by law to notify all victims of security breaches within 24 hours of even a suspicion of it happening, giving the individual the opportunity to take the action they feel necessary - eg replacing payment card numbers.

3) Many organizations require personal information that is quasi biometric or biometric. eg your date of birth, mother's maiden name etc. Demands for this type of information should be made unlawful. Because you can't change them, unlike a Visa card number.

limnam

industrialhorse wrote: »

No compensation applies here but I'm sure a very small amount of customers (those who care about data protection and privacy) may close their PP account and setup with one of their many rivals in the online gambling market.

Why would any other gambling websites DB's be anymore secure than PP.
Putting your details on any companies servers comes with an element of risk.

PP today someone else tomorrow.

industrialhorse

limnam wrote: »

Why would any other gambling websites DB's be anymore secure than PP.
Putting your details on any companies servers comes with an element of risk.

PP today someone else tomorrow.

Not saying that any other gambling websites have a more secure database than PP but if it has taken them four years to make their data breach known to the public then, in my opinion, it is a very strong reason to distrust PP and time to check out how their rivals have been managing personal data, and how they intend to improve data security arrangements in the wake of the PP breach

limnam

industrialhorse wrote: »

Not saying that any other gambling websites have a more secure database than PP but if it has taken them four years to make their data breach known to the public then, in my opinion, it is a very strong reason to distrust PP and time to check out how their rivals have been managing personal data, and how they intend to improve data security arrangements in the wake of the PP breach

Distrusting a company designed to take you for every penny you have.
I think you're over cautious

They're not going to release technical details of potential mitigation steps. It doesn't really matter what steps they take anyway there is always risk.

The option you have is to go elsewhere hope for a bit of luck and some honesty from a bookie.

good luck with that

DublinWriter

AnCatDubh wrote: »

The eircom/Meteor case (stolen unencrypted laptops) in recent years is such a case where they were fined in the courts in an action taken by the office of the data protection commissioner. In that case the data controllers (eircom/Meteor) lost customer and staff data through the theft of the machines.

In that case Eircom/Meteor pleaded guilty to all charges and were given Section 1(1) of the probation act if they donated €15,000 to charity.

Considering the data they lost was on over 10,000 customers, including copies of passport and utility bills used to prove client id, it's not even small change, it's micro-change.