|
|
|
|
Welcome to the News desk. |
|
|
|
Betfair keeps quiet over major theft of customer
information |
14/10/2011 |
|
Richard
Whitehouse |
Online gambling
company Betfair was the victim of cyber attacks that attempted to gain access
to customers' sensitive details, including security verification answers and
credit card numbers.
The attack
took place 18 months ago, in March 2010, Betfair confirmed on Friday. The
company did not inform customers at the time.
"18 months ago we were
subject to an attempted data theft. Because of our security measures the data
was unusable for fraudulent activity and we were able to recover the data
intact," the company said in a statement.
It added that it spoke to the
"relevant authorities" at the time and "it was established that there was no
risk to customers".
However, according to a report in The Telegraph,
the attackers did in fact manage to steal millions of users' sensitive details
including 2.28 million encrypted payment card account numbers and details, 3.16
million account user names with encrypted security questions and 89,744 account
user names with bank account details.
According to The Telegraph, a report on the breach
dated 27 September, 2010 was marked "Betfair Critical Confidential" and
confirmed that "the attacker did indeed manage to copy the entire Sportex
database", it said.
A separate report on the theft carried out by
security consultancy Information Risk Management (IRM) concluded that
"appropriate technical controls relating to such elements as network
segregation and file integrity monitoring that would provide Betfair the
ability to deter, prevent and detect such an incident are not in place", The
Telegraph said.
Nor did Betfair disclose in last years flotation
prospectus full details of a big cyberattack on customers credit card
details, but it insisted that all of its advisers for the initial public
offering knew about the extent of the incident.
The betting exchange
operator issued its prospectus in September last year, six months after the
cyberattack. High quality global journalism requires investment. In its
prospectus, Betfair referred in its risk factors section to the
potential for disruption to its technology, saying its controls may not
be effective in detecting any intrusion or other security breaches, or
safeguarding against sabotage, hackers, viruses and
cybercrime.
The Betfair prospectus added: Betfair has
experienced a limited number of security breaches in the past (which have not
had a significant effect on Betfairs reputation, operations, financial
performance and prospects and in respect of which remedial action has been
taken).
Nowhere did the prospectus punted to investors by
Goldman Sachs, Morgan Stanley, Barclays Capital and Numis Securities
detail what had really been going on lately with Betfair's renowned
technology.Namely, that a bunch of cyber-criminals, possibly originating in
Cambodia, had breached the company's security systems on March 14, 2010. They
had subsequently stolen, among other things, 2.28m "encrypted payment card
account numbers and details", 3.16m "account user names with encrypted security
questions" and 89,744 "account usernames with bank account
details".
Indeed, a progress report marked "Betfair Critical
Confidential" tells how "the attacker did indeed manage to copy the entire
Sportex database" the one that contains all cardholder details. The
report is dated September 27, 2010. That's just six days after the company
announced its "intention to list" a statement containing Yu's
explanation of how "Betfair's unique and highly sophisticated exchange platform
technology is at the very heart of the company's success".
Such a
confident statement is itself surprising. Just a month before the decision to
press ahead with the float, Betfair had received a "Forensic Investigation
Report" on the cyber theft from security consultancy Information Risk
Management (IRM). Its first conclusion was that: "Appropriate
information security governance is not in place within Betfair and as a
consequence the business has been exposed to significant risks." Another one?
That "appropriate technical controls relating to such elements as network
segregation and file integrity monitoring that would provide Betfair the
ability to deter, prevent and detect such an incident are not in place".
Neither did the prospectus detail the criminal and regulatory brouhaha
unleashed by Betfair's belated discovery that, in the words of the "Project
Brazil Progress Report, "a large volume of data" had been stolen. An
"Incident Report to Regulators", dated July 15, 2010, explains that the
thieves' haul included "approximately 850,000 unexpired credit card details"
a large number in relation to the company's current 949,000 "active
users", or regular gamblers. "We have taken the prudent view that the
criminal has the expertise to decrypt the payment card details," Betfair
admitted, though stressed that the "CVV2/CVC security numbers" were not stolen.
It said advice from RBS was that "this very significantly limits the
ability of the cards to be used fraudulently".
Betfair further
commented on the affair by insisting that the data was "unusable for fraudulent
activity" and "there was no risk to customers".
Betfair's share price is
currently around half of what it was a year ago with a staggering PE Ratio of
38:1.
|
|
|
|
|
|
|
|
|