We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Betfair hides credit card data hack from customers

Betfair hides credit card data hack from customers

More than three million customers affected by attack

Article comments

Sports betting exchange Betfair failed to notify customers of a massive credit card data theft 18 months ago, it has been revealed.

According to the Daily Telegraph, the company disclosed in an internal report that between 28 March 2010 and 9 April 2010, cyber criminals stole 3.15 million account usernames with encrypted security questions, 2.9 million usernames with one or more addresses and 89,744 account usernames with bank account details.

Customer accounts that existed at 1 February 2010 were affected, yet Betfair made no move to inform customers of the breach because it decided that there was “no risk to customers”.

“Eighteen months ago we were subject to an attempted data theft. Because of our security measures the data was unusable for fraudulent activity and we were able to recover the data intact.

“At the time, we contacted all the relevant authorities and worked closely with them regarding this matter and it was established that there was no risk to customers,” the company said in a statement.

The authorities that Betfair was forced to inform included the UK Serious Organised Crime Agency (SOCA), the German law enforcement agencies, and the Australian Federal Police. It also notified the Royal Bank of Scotland, which was responsible for accepting card payments made via Betfair.

The incident, described in an internal report called ‘Project Brazil Progress Report’, called into question Betfair’s security monitoring systems, as it did not discover the breach for two months after the initial attack. Hackers breached the company’s systems on 14 March 2010, but it was only a server crashing at a data centre in Malta that alerted the company to the attack.

According to the Daily Telegraph, a report on the crime by consultants Information Risk Management described Betfair’s IT security as insufficient.

“Information security was not implemented in accordance with best practice.

“Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks,” the report stated.

Meanwhile, Betfair said that it has now implemented all of the recommendations from independent reports it commissioned into the crime, and that it has "done everything we can to minimise the risk of this happening again." 

Earlier this year, Betfair launched a customer commitment charter setting out 14 promises to customers about the quality of its services, including technology.

One of the promises included ensuring the security of its site and customer data, and to protect customers’ money by keeping it separate from the company’s funds.

The company publishes a progress report against each of the commitments every three months, starting from 1 August.

Share:

Comments

  • Iamyue1 This company is a disgrace they ban the media from their AGM they destroy shareholder value they cover up things like the infamous poker hiest and now thisShame on them and shame on David Yu
  • InfosecChap A crying shame We all know how truly hard it is to get the business to deal with IT risk High impact low probability equals medium risk which is ignored the article mentions file integrity a product like Tripewire or an open source equivalent is peanuts Of course the back-end support needed by the security operations centre is where the big money lies which is why there are n number of outsources system integrators and managed services companies who will do this for youThe point about the broken crypto made me laugh If they are so certain its broken I wonder what the implementation was Again proper monitoring and robust procedures are needed I suspect that the betfair world isnt populated by HSMsBetfair now has a choice deal with this engage a CISO invest in a robiust set of controls or dodge the issue until next time Id expect that they are PCI DSS compliant already surely If they are then this is another blow to the PCI DSS silver bullet If not then theres a lesson I thinkCongrats to Mr Osborne for spotting the line in the report and getting to the truth I bet it wasnt easychin chininfosecchap
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *