A UK Paddy Power storefront

Paddy Power is facing criticism for their slow response to a 2010 hacking incident. (Image: Kake Pugh/Flickr)

Across-the-pond sports betting operation Paddy Power is no stranger to finding ways to get its name into the news. From controversial promotions to outrageous ads, the Irish bookmaker is willing to do just about anything to raise their public profile. But this week, Paddy Power found itself making headlines in a way that certainly wasn’t intentional.

Paddy Power made the admission that nearly 650,000 customers had their personal data stolen in a website hack that took place way back in 2010. The bookmaker made the admission even as the company was preparing to inform specific customers of the incident.

No Financial Data Stolen

The stolen data included basic personal information on each player: names, addresses, dates of birth, and so on. There were also the answers to the personal questions players used to verify their identities. Critically, there was no financial information such as credit card numbers included in the stolen data.

“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Peter O’Donovan, managing director of Paddy Power’s online operations. “We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach.”

Canadian Police Help With Investigation

The company says that they were first made aware of the hack in May of this year, when they learned that some of their customer data had been accessed by a Canadian individual. After alerting Irish police to the situation, authorities in Canada assisted in reclaiming the data.

“The full extent of the 2010 data breach became known to the Company in recent months when it took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from the individual,” Paddy Power said in a statement.

Ontario police say that the case against the individual is being handled as a civil matter rather than a criminal action. For that reason, a spokesperson for the Ontario Provincial Police was unable to reveal the identify of the target of their investigation.

According to Paddy Power, a total of 649,055 individuals were impacted by the data theft. The bookmaker says that they’ve been monitoring the active accounts on their site, and that there has been no suspicious activity that would suggest anyone has gained access to these accounts. However, since the personal question data was part of the information stolen, they recommend that customers “review other sites where they use the same prompted question and answer as a security measure and update where appropriate.”

Company Criticized for Slow Response

Paddy Power has been criticized in many corners for their slow response, as about four years passed between the breach and the time customers were made aware that their data was stolen.

“I am very disappointed that it has taken until now for Paddy Power to inform its customers,” said Dara Murphy, Ireland’s junior minister for data protection.

“It’s shocking to see that Paddy Power has waited over four years to inform its users of the cyber-attack on the company,” said George Anderson of Webroot, a security firm. “Waiting four years isn’t just irresponsible, it’s senseless.”