 |
|
 |
|
 Main Menu |
|
| News
|
|
|
|
 |
|
|
|
| Current |
|
|
|
| GGG | |
 |
|
 |
| Stan James
£150 Free Bet |
|
|
| | Home | | Index | | Info | | This Week | | Poker | | News |
 |
|||||
|
|||||
|
|||||
|
|||||
 Richard
Whitehouse |
|||||
| Online gambling
company Betfair was the victim of cyber attacks that attempted to gain access
to customers' sensitive details, including security verification answers and
credit card numbers. The attack took place 18 months ago, in March 2010, Betfair confirmed on Friday. The company did not inform customers at the time. "18 months ago we were subject to an attempted data theft. Because of our security measures the data was unusable for fraudulent activity and we were able to recover the data intact," the company said in a statement. It added that it spoke to the "relevant authorities" at the time and "it was established that there was no risk to customers". However, according to a report in The Telegraph, the attackers did in fact manage to steal millions of users' sensitive details including 2.28 million encrypted payment card account numbers and details, 3.16 million account user names with encrypted security questions and 89,744 account user names with bank account details. According to The Telegraph, a report on the breach dated 27 September, 2010 was marked "Betfair Critical Confidential" and confirmed that "the attacker did indeed manage to copy the entire Sportex database", it said. A separate report on the theft carried out by security consultancy Information Risk Management (IRM) concluded that "appropriate technical controls relating to such elements as network segregation and file integrity monitoring that would provide Betfair the ability to deter, prevent and detect such an incident are not in place", The Telegraph said. Nor did Betfair disclose in last year’s flotation prospectus full details of a big cyberattack on customers’ credit card details, but it insisted that all of its advisers for the initial public offering knew about the extent of the incident. The betting exchange operator issued its prospectus in September last year, six months after the cyberattack. High quality global journalism requires investment. In its prospectus, Betfair referred in its “risk factors” section to the potential for disruption to its technology, saying its controls “may not be effective in detecting any intrusion or other security breaches, or safeguarding against sabotage, hackers, viruses and cybercrime”. The Betfair prospectus added: “Betfair has experienced a limited number of security breaches in the past (which have not had a significant effect on Betfair’s reputation, operations, financial performance and prospects and in respect of which remedial action has been taken). Nowhere did the prospectus – punted to investors by Goldman Sachs, Morgan Stanley, Barclays Capital and Numis Securities – detail what had really been going on lately with Betfair's renowned technology.Namely, that a bunch of cyber-criminals, possibly originating in Cambodia, had breached the company's security systems on March 14, 2010. They had subsequently stolen, among other things, 2.28m "encrypted payment card account numbers and details", 3.16m "account user names with encrypted security questions" and 89,744 "account usernames with bank account details". Indeed, a progress report marked "Betfair Critical Confidential" tells how "the attacker did indeed manage to copy the entire Sportex database" – the one that contains all cardholder details. The report is dated September 27, 2010. That's just six days after the company announced its "intention to list" – a statement containing Yu's explanation of how "Betfair's unique and highly sophisticated exchange platform technology is at the very heart of the company's success". Such a confident statement is itself surprising. Just a month before the decision to press ahead with the float, Betfair had received a "Forensic Investigation Report" on the cyber theft from security consultancy Information Risk Management (IRM). Its first conclusion was that: "Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks." Another one? That "appropriate technical controls relating to such elements as network segregation and file integrity monitoring that would provide Betfair the ability to deter, prevent and detect such an incident are not in place". Neither did the prospectus detail the criminal and regulatory brouhaha unleashed by Betfair's belated discovery that, in the words of the "Project Brazil Progress Report, "a large volume of data" had been stolen. An "Incident Report to Regulators", dated July 15, 2010, explains that the thieves' haul included "approximately 850,000 unexpired credit card details" – a large number in relation to the company's current 949,000 "active users", or regular gamblers. "We have taken the prudent view that the criminal has the expertise to decrypt the payment card details," Betfair admitted, though stressed that the "CVV2/CVC security numbers" were not stolen. It said advice from RBS was that "this very significantly limits the ability of the cards to be used fraudulently". Betfair further commented on the affair by insisting that the data was "unusable for fraudulent activity" and "there was no risk to customers". Betfair's share price is currently around half of what it was a year ago with a staggering PE Ratio of 38:1. |
|||||
| |
|||||
Welcome to the News desk. 