Betfair didn't tell customers about data theft

The online gaming giant Betfair was the victim of a cyber attack a year and a half ago. Over 3.1 million usernames with security questions, 2.9 million account names, and almost 90,000 usernames with bank and credit card info were retrieved by the attacker last March. However, the company failed to tell its registered customers about the theft.

Betfair claims that it wasn't necessary to disclose the theft, because, in accordance with its security measures, the data stolen was encrypted and stored so that it can't be used for fraudulent activity. The firm says that it was able to restore the lost data with no loss if information. The company determined that the data leak would have no effect on users, and therefore decided that the attack didn't need to be disclosed. Befair did report the attack to the Serious Organised Crime Agency of the UK.

A company spokesman says that since the cyber attack Betfair's security policy has been reviewed and the company's security systems have been made stronger. The changes were made, he said, in order to conform to best practice guidelines for protection of user information. Added the spokesman, "We have subsequently implemented all of the recommendations from the independent reports we commissioned and have done everything we can to minimise the risk of this happening again."

Betfair failed to discover the theft until two months after the fact, when a server crashed at the company's data center in Malta. In all, two servers in Malta were affected by the attack, as well as nine in the UK. In addition to the UK's crime agency, the company says that it told the Australian Federal Police and German authorities about the theft.