Reports that Betfair has suffered a data breach – losing the details of around 3.15 million customers, including payment and bank details of some of its clients – have been met with astonishment.
Since its creation in June 2000 the Betfair betting exchange has grown to more than 3 million members and processes many millions of bets every single day.
Reading through the report in the Daily Telegraph business section – and cross-referencing this to the flotation prospectus from last year – reveals that 3.15 million account user names with encrypted security questions, 2.9 million of which included address data and approaching 90,000 bank account details, were apparently accessed by hackers in the Far East.
The majority of gamblers on Betfair use debit or credit cards to fund their accounts, along with Paypal, Moneybookers and other forms of electronic cash, so it is reasonable to assume that the payment card credentials of a large number of these 3.15 million customers were accessed.
While it remains to be seen whether this payment card data was encrypted, the firm is still in clear breach of the PCI DSS rules and may well have been in breach of the Data Protection Act as some customer data was allegedly stolen by cybercriminals in Cambodia.
As if all this were not bad enough, what I find incredible is that the data breach by the Cambodian hackers took place on March 14, yet the fact that the breach occurred was not discovered until more than two months later, when a server crash occurred at a Malta-based data centre.
We now know that the Serious Organised Crime Agency, as well as Australian and German law enforcement agencies and the Royal Bank of Scotland – the payment processor for Betfair – were involved at some stage last year, but it is amazing that the betting exchange did not notify its customers of the data breach.
This all smacks of only doing the bare minimum – as required under law – to deal with a data breach, and not considering the best interests of Betfair’s customers. One is forced to conclude that the proximity of the betting exchange’s flotation had a lot to do with this.
The brutal reality is that a multi-million pound betting exchange, with operations in several countries, processing millions of transactions every single day, was clearly hacked by Far Eastern cybercriminals, despite the fact that the exchange had claimed previously that its security systems – as required by multiple regulatory authorities – were up to scratch.
More than anything, the fallout from this episode sends all the wrong messages. It implies that, if you do suffer a data breach – yet only do the minimum checkbox security as required under law – the worst that can happen is that you make the business headlines some eighteen months later. No fines, no censures or anything.
Most corporate governance and IT security professionals will be amazed at what has transpired and, as the facts emerge, you can bet your bottom dollar – as many Betfair punters do – that the management of a large number of organisations will conclude that they too can afford to take risks with their data security, and get away with it. That is bad news for the IT security profession and business generally, in my humble opinion.