Betfair Admits Sensitive Data Breach

Customers were not informed about the incident It has finally been confirmed that online betting exchange Betfair went through an incident that involved a wide-scale customer data theft last year. So far, the specifics of the incident involve the period when it happened – between March 28 and April 9, and the perpetrators who come from Cambodia. The sensitive data theft involved payment card details of most of Betfair customers; 3.15 million account usernames with encrypted security questions; 2.9 million usernames with one or more addresses; and 89 744 account usernames with bank account details. The theft was conducted by people who knew how to decrypt payment card details, it was specified later on. Fortunately for the customers, CVV2/CVC security numbers were not stolen along with other data, which "significantly limits the ability of the cards to be used fraudulently". It has been claimed that the theft was discovered as much as two months later, when a "production log server" crashed at Betfair's Malta data centre. This led to a revelation that "at least another nine servers that had been compromised in the UK and two in Malta". After the discovery, Betfair reportedly informed the UK Serious Organised Crime Agency, Australian and German law enforcement authorities, UK and Maltese regulators and its credit card payment processor the Royal Bank of Scotland. However, it has never informed its customers about the breach, and it only claimed that the stolen data was unusable for fraudulent activity and had been recovered intact, so there was no risk for the customers. According to the London-based Information Risk Management (IRM), "Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks."