Paddy Power Notifies Customers of Data Breach… Four Years Late

Irish bookmaker Paddy Power has admitted that personal details of more than 600,000 customers were stolen in a cyber-attack that occurred in 2010. The company revealed that it was aware of an attack on its system four years ago but failed to inform customers of the security breach.

Data including names, usernames, postal addresses, email addresses, phone numbers, dates of birth as well as security questions and answers were stolen, although it’s not thought that financial information was accessed or that any customer accounts were violated. The company was informed in May this year that a man in Canada had a large database of customer information, but it remains unclear how long Paddy Power has known about this security breach, or whether they knew the full extent of it.

Failing to inform people of a data leak in good time leaves customers exposed to the danger of identity theft. Any security breach, no matter how big or small, should be taken seriously by organisations and communicated to customers to enable them to take necessary steps to minimise the damage caused to them personally. It’s also essential that an organisation properly investigates how the data was stolen and closes off any vulnerability that may have enabled the theft.

In this instance the information stolen placed affected account holders at severe risk of further social engineering attacks and identity theft. While a security breach will always draw negative attention it is always better to communicate quickly and openly to restore customer trust and ensure that customers are better protected against further attacks.