By Maksym Schipka – SVP Engineering.
As many of you will have seen in the media last week, on the 31st of July - and 3 days after a suggestion for a merger between William Hill and Paddy Power to offset negative regulatory changes - Paddy Power announced a leak of almost 650,000 (649,055, to be more specific) client’s details, dating back to 2010. In a comment that appeared in the Telegraph, I explained that a hack such as this is almost certainly bound to lead to identity fraud.
Let’s examine this data breach, both in terms of the security ‘incident’ and also the way it was handled.
Attempted hacks are taking place around the globe every second of every day, in an attempt to gain access to everything and anything - from publicly available websites to your home router. Just this week, 25 different IPs attempted to attack my home router! A large number of these attempts go unnoticed by its victims - Paddy Power did notice this attempt.
Many successful breaches don’t get fully investigated by organisations but in the case of Paddy Power, the company did investigate the breach. And while most successful breaches never get published, Paddy Power did report the breach. So, good.
But now for the Bad…
From the moment the data breach was reported, many things went wrong.
Firstly, the timing of the report (over 4 years later!) means that anything could have happened to the personal details leaked. According to the ActionFraud website, there are over 4 million victims of identity fraud in UK alone, with £1,190 being the average cost to each victim and some individuals losing up to £9,000. The current UK population stands at almost 64 million people, meaning that one in 16 people is affected. Applying the same ratio to the number of leaked records, it’s easy to understand why informing people as soon as the data breach happened is imperative.
While no financial information of its customers was leaked - and under current UK legislation does not imply any financial responsibility in these cases (unlike in the recent case of UK-based online travel company “Think W3”, where PCI DSS compliance was broken, enabling the regulators to fine the company at fault), the upcoming reform of EU legal framework leading to a new EU Data Protection Regulation will change the notification process. The new regulation includes provisions for timely Data Breach Notifications to be issued by companies affected by a data breach. The European Parliament Committee on Civil Liberties has proposed significant fines for companies that do not comply with the proposed regulation of up to 5% of annual worldwide turnover, or €100m, with the possibility for individuals and associations, acting in the public interest, to bring claims for non-compliance.
The media coverage generated by the incident indicates that the disclosure was only made public because the company had been notified by a ‘third party’ earlier this year in May that ‘someone in Canada’ had a ‘large database of information’ allegedly stolen from the attack. The conclusion to be gained from this is that Paddy Power clearly did not feel at the time (back in 2010) that it was important to share the fact that this critical and confidential customer information - which included names, addresses, dates of birth, and even the maiden names of mothers - had fallen into the wrong hands, something that has undoubtedly and will continue to affect the company’s reputation. We need only look at Target in the US to see the financial and reputational fallout from a data breach.
In the statement released following the disclosure of the breach the company said “… we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.”
The tone of the statement indicates that while the necessary solutions may have been purchased, we know nothing about the state of mandatory processes and policies to make such solutions effective when deployed. When a breach of PCI DSS compliance occurs - regulators are generally pragmatic and allow the affected company to purchase the necessary security solutions and ensure that it commits to a robust plan for deploying them. Whether the deployment part – which is a lot more difficult than purchasing a solution – was actioned in Paddy Power’s case - is unknown.
For those people affected by the breach options are limited, post-factum. But my three main suggestions would be:
- Obtain an identity fraud monitoring solution such as ProtectMyID from Experian or Identity Watch from Equifax. While these solutions will not protect you against the actual financial losses (that responsibility is shared between yourself and financial organizations regulated by FCA), they will flag up if a loan application or other activities related to your identity are taking place and enable you investigate those activities further. Some solutions even contribute to helping you restore your credit rating.
- Treat your mother’s maiden name as yet another password. When you are asked for your mother’s maiden name, you don’t have to use just that – you can use any password you can remember. It is way better to make that password specific to an organization which you are giving it to. For example, sometimes people embed the name of the organization into “mother’s maiden name”. The same rule applies to any other “security question” that organizations ask.
- Carefully monitor all correspondence and statements. If unusual activity is noted, do not delay; investigate it, bring it to the attention of the financial organization and insist on further investigation.
What could Paddy Power do better - apart from more transparency upfront at the time of incident? A simple gesture – for example one year of free credit monitoring - including identity theft insurance to affected customers , which is similar to what Target did in the wake of their data breach, would go a long way towards rebuilding customer confidence.