Paddy Power Advises Customers of Historical Data Breach

31 Jul 2014

- No financial information or customer passwords accessed in hacking incident
- Full investigation shows no evidence customers’ accounts adversely impacted
- Incident restricted to a number of customers who held an account in 2010, no impact on customers who opened accounts after this time

Paddy Power is today (Thursday, 31st July 2014) contacting certain customers in relation to an historical data breach. No financial information or customer passwords were compromised in the isolated incident and customers’ accounts are not at risk as a result. The full extent of the 2010 data breach became known to the Company in recent months when it took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual.

Paddy Power takes its responsibilities regarding customer data extremely seriously and it is deeply regrettable that this breach happened. Paddy Power has engaged with the Office of the Data Protection Commissioner on this issue and kept them updated on the action taken by the Company.

The historical dataset contained individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer. Customers’ financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised. Paddy Power’s account monitoring has not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way.

The accessed information alone would not have been sufficient to grant access to a Paddy Power customer account and this incident has no impact on customers who opened accounts after 2010.

Paddy Power is today pro-actively contacting 649,055 affected customers on this issue. Customers are being advised to review other sites where they use the same prompted question and answer as a security measure and update where appropriate.

“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, MD Online, Paddy Power. “We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.”

Continuing Peter O’Donovan said: “Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”

Ends.

Notes to Editors

Paddy Power was advised in May 2014 of an allegation that an historical customer dataset was in the possession of an identified individual in Canada. The Company alerted An Garda Siochána and the Office of the Data Protection Commissioner.

Following a verification process on a sample of the data, Paddy Power sought and received two court orders in Canada to seize the individual’s IT assets, to recover the dataset and delete it from the IT systems, to examine his bank accounts and financial transactions and to question him. This was undertaken with the assistance of the Ontario Provincial Police. The court orders were secured and executed in Canada during the week of July 7th. The data has been examined forensically by the Paddy Power Information Security Team and the results of the examination have determined, with precision, that some personal information relating to 649,055 customers was compromised during a cyber attack on Paddy Power’s IT systems in 2010.

Paddy Power had detected malicious activity in an attempted breach of its data security system in 2010. A detailed investigation was undertaken at the time and determined that no financial information or customer passwords had been put at risk. It was, however, suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken.

Paddy Power places a premium on having robust security systems and processes and, in recent years, has invested over €4 million in its IT security systems.

The Paddy Power Support Team can be contacted on:

Phone:
Ireland - 1800 238 888
UK - 08000 565 275
Rest of World - +353 1 4040120

Email: support@paddypower.com

Media contacts:
Ireland
Karen Ferris / John Byrne
Drury Porter Novelli
T: 01 260 5000
M: 086 317 1248(KF)/087 938 3852 (JB)
E: karen.ferris@drurypn.ie

UK
Conor McClafferty
RLM Finsbury
T: 00 44 207251 3801
M: 00 44 207 251 3801
E: conor.mcclafferty@RLMFinsbury.com