How Paddy Power pursued data breach to Ontario home
Story of how contact details for 650,000 of bookmaker’s customers was put up for sale
Staff at Paddy Power’s office in Belfield Office Park, Dublin. The bookmaker revealed last month that almost 650,000 customers were affected by a data breach in 2010.Photograph: Dara Mac Dónaill /The Irish Times
Jason Ferguson said the job was straightforward: buy a gambling company’s client data and flip it to a rival who could use the information to win new customers. Instead, the story ended last month with a fleet of cars arriving outside his home in a cul-de-sac in a suburb of Brockville, a town three-and-a-half hours drive northeast of Toronto. The convoy included forensics experts and representatives of Paddy Power, the operator of the largest online sports book in the UK and Ireland.
After Ferguson was shown court orders, the 40-year-old led the team to his basement, where they seized a hard drive and other equipment containing the names, contact details, addresses, dates of birth, and secret questions and answers for more than 600,000 Paddy Power clients that they later wiped clean. “Should I have had the data?” Ferguson, a tattoo of a hand fanning out four aces on his right forearm, said in an interview with Bloomberg News at the only Starbucks in town over a chai latte. “Is it ethical? To my knowledge, there’s no precedent. I thought I was acting within the realm of legality.”
Canadian police agreed, with no charges being laid against Ferguson, who was flagged to Paddy Power by a London gaming consultant posing as a potential buyer. Yet the tale of how a Dublin-based company’s stolen data ended up in an Ontario basement 3,100 miles away, via a detour to the Mediterranean island of Malta, illustrates the challenges facing companies and institutions across the globe, ranging from Target to the European Central Bank, grappling with personal-data breaches.
“Many countries have anti-hacking or data privacy laws that criminalise the theft of personal data, but there is no harmonised position on buying and selling data that has been stolen,” said Richard Jones, director of data privacy at Clifford Chance LLP in London. “Even in a strict regime it may not be possible to prosecute someone who didn’t know, or claims not to have known, that the data they were buying was stolen.”
Eight “mega breaches” last year exposed more than 10 million identities each, compared with one in 2012, according to Mountain View, California-based Symantec, the biggest maker of anti-virus tools. Last month, hackers broke into a database belonging to the ECB and attempted to use the information to extort cash from the institution. Hackers last year stole 40 million credit and debit card details along with 70 million addresses, phone numbers and other information from Target, the second-biggest US discount retailer.
For Paddy Power, the story began with a cyber attack in late 2010, according to a company statement on July 31st and court filings. Paddy Power said it detected “malicious activity” in an attempt to breach its security system, overseen by Paddy Power’s chief executive officer Patrick Kennedy (45), as he sought to win a share of surging online betting.
Now one of Ireland’s biggest publicly traded companies, Paddy Power has more than 1.9 million online customers. Through an outside spokesman, the company declined to comment beyond its statement last month, which apologised for the breach.
As Kennedy was building the business, Ferguson was dealing with the failure of his Bumble B Boutique, a children’s clothing consignment store which closed after seven months in a center of a town he described as “dying”.
Born and raised in Brockville, he said he had three kids from his first marriage to support. Dressed in a black t-shirt, cargo shorts and a blue bandanna, with sunglasses perched on his head, he said he’s been making money from online gambling, arbitrage betting, and working as an “affiliate” for almost half his life. Affiliates essentially refer potential clients to betting companies.