Paddy Power to contact 650,000 customers over data breach

Bookmaker says financial and password information not compromised in 2010 case

Bookmaker Paddy Power is attempting to contact almost 650,000 customers affected by a historical data breach.  Photograph: Alan Betson / The irish Times.

Bookmaker Paddy Power is attempting to contact almost 650,000 customers affected by a historical data breach. Photograph: Alan Betson / The irish Times.

 

Bookmaker Paddy Power is attempting to contact almost 650,000 customers affected by a historical data breach.

The Dublin-listed company said no financial information or passwords had been compromised in the 2010 hacking incident, the extent of which came to light in recent months as part of an investigation in Canada.

“The historical dataset contained individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer,” Paddy Power said in a statement.

“Customers’ financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised.”

Paddy Power - which offers clients betting, casino games and other services - said that account monitoring has not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way.

The bookmaker said it had contacted the Data Protection Commission and An Garda Síochána about the matter. It advised customers to “review other sites where they use the same prompted question and answer as a security measure and update where appropriate”.

It said customers who opened an account after 2010 would not have been affected and that it was pro-actively contacting 649,055 people who were.

Paddy Power was advised in May about an allegation that the dataset was in the possession of a person in Canada. Once the development was confirmed the company obtained two court orders in Canada last month to seize IT assets in order to wipe the data and examine his bank accounts.

“The full extent of the 2010 data breach became known to the Company in recent months when it took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual,” the statement added.

Peter O’Donovan, managing director for Paddy Power’s online business, said the company regretted that the breach had happened and apologised to those affected.

“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data.”