UK online betting exchange Betfair has confirmed that it suffered a data breach last year in which millions of customers’ personal details were stolen by hackers.
Betfair describes the breach as an "attempted data theft". "Because of our security measures, the data was unusable for fraudulent activity and we were able to recover the data intact", it said in a statement.
The Daily Telegraph reported today that in March 2010, hackers stole data from the company including 2.3 million credit card numbers, 3.2 million user account logins and 90,000 usernames "with bank account details". A spokesperson for Betfair told Information Age that the facts in the Telegraph report were accurate.
Citing a confidential internal report, the Telegraph says that when Betfair discovered the breach, it informed authorities including the UK’s Serious Organised Crime Agency (SOCA) and the Gambling Commission. It also informed the Royal Bank of Scotland, which handles the company’s credit card transactions.
However, because the data breach occurred six months before Betfair launched on the London Stock Exchange, the Telegraph implies that the company should have given more information about it to potential investors.
It refers to a paragraph in the IPO prospectus in which Betfair revealed that it had "experienced a limited number of security breaches in the past [which have not had a significant effect on Betfair’s reputation, operations, financial performance and prospects and in respect of which remedial action has been taken]".
Betfair says it did not disclose details of the breach externally "because there was no risk to customers".
The Telegraph claims that Betfair had not informed customers of the breach on the advice of SOCA, which it quotes as saying that "public disclosure would be detrimental to any intelligence operation or investigation".
However, a spokesperson for SOCA told Information Age that this is an overstatement by the Telegraph for a number of reasons, including the fact that it is not always SOCA’s policy to make such a recommendation. The spokesperson added that informing SOCA of a data breach is not the same as initiating a criminal investigation.
Betfair would not comment on this part of the story.
The Information Commissioner’s Office, meanwhile, said that it does not comment on ongoing criminal investigations, but confirmed that private organisations have no legal obligation to inform customers or investors of a data breach.