The personal information of thousands of online gamblers and details of over 108 million bets have been exposed by a leaky server that almost certainly belongs to one of Curacao’s major online gambling licensing and solutions providers.
As reported by ZDNet, last week, security researcher Justin Paine stumbled on the server, which had been left online unsecured and unprotected by a password. Inside was a vast collection of data, referencing customers’ personal information, deposits, and withdrawals from multiple gambling sites, including kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net.
ZDNet explained that the type of server — an Elastisearch search engine — is usually installed on an internal network because it generally handles a company’s most sensitive information, but this one had been exposed online for all to see.
Paine reported that the search engine included customers real names, phone numbers, home addresses, account balances, IP addresses, as well as information on bets wins, deposits withdrawals and payment card details. The card details were partially redacted, but the information on show was enough to make customers extremely vulnerable to fraud or extortion.
Joining the Dots
But whose server was it? Azur Casino is owned by a company called Danguad Ltd, which is based in Nicosia, Cyprus. Kahuna Casino and VIP Room are both owned by a company called Mountberg, which is based in the same building as Danguad. However, Easybet — owned by TGI Entertainment NV — is a sports betting site that appears at first glance to be completely unrelated to the others.
Except the one thing they have in common is that they are all licensed in Curacao under the same master license number, 1668/JAZ, which is owned by a company called Curacao eGaming.
Curacao eGaming offers white-label, turnkey solutions to a number of online gambling sites, as well as consultancy and compliance supervision. One of four master license holders in Curacao, it issues sub-licenses to its clients and provides the necessary IT infrastructure, including dedicated servers, private cloud servers, GEO IP services, cloud storage, and high-speed bandwidth rates.
ZDNet — unaware of the Curacao eGaming link — contacted the individual online gambling companies with a request for comment on the data leak and received no response, but reported that shortly afterwards the offending server was taken offline.
Casino.org has reached out to Curacao eGaming for comment but had received no response by the time of publication.
The Trouble with Curacao
The Dutch Caribbean island of Curacao was an early adopter of online gambling and has existed as a licensing jurisdiction since 1996. But it has been repeatedly accused of offering no checks and balances on its licensees at all.
Meanwhile, questions have been asked in the Dutch parliament about the trade in sub licenses by companies like Curacao eGaming and whether it is harming the island’s international reputation.
Last month, the government of Curacao announced it would tighten up its online gambling regulations, largely as a response to the conviction of its former prime minister, Gerrit Schotte, who was sentenced to three years in prison for accepting bribes from a land-based casino owner on the island with reputed Mafia connections.