The online gambling firm 888 has been ordered to pay a record penalty of £7.8m after it failed to protect vulnerable customers because of a technical failure.

A technical failure meant 7,000 customers who had chosen to bar themselves from their accounts were still able to gamble on 888’s bingo platform. As a result, the Gambling Commission said there were “significant flaws” in the firm’s social responsibility processes, and issued the record fine.

One customer bet £1.3 million over 13 months without being identified as having a problem.

Sarah Harrison, chief executive at the Gambling Commission, said the penalty would ensure that “lessons are learnt”.

Part of the penalty package, according to the Gambling Commission, will be used to repay the £3.5 million in the deposits made by the customers who had opted to bar themselves from their account.

“Our requirements are that every company must provide the facility for every customer to be able to bar themselves from gambling. These 7,000 looked to do that. But 888 didn’t deliver it as effectively as they should have done,” Harrison told the BBC.

The Gambling Commission said “the lack of interaction with the customer, given the frequency, duration and sums of money involved in the gambling, raised serious concerns about 888’s safeguarding of customers at-risk of gambling harm”.

“There are around two million people now in Britain who either are problem gamblers or are at risk of problem gambling,” continued Harrison.

“Companies are beginning to put different practices in place to identify people right up front, but more needs to be done. We need to go further and we need to go faster.”

Commenting on the state of today’s gambling scene, Peter Murray, head of gaming at identity data intelligence company GBG, said the online environment was complex and ever-changing.

“Gambling companies need to demonstrate they have the ability to understand their customers intimately. This applies both at the point somebody registers to use a site and how they subsequently behave.”

“Many companies operate multiple brands and this presents the challenge of players registering accounts across different sites, often using different personal information. When protecting vulnerable players, therefore, it’s not as simple as excluding someone based on name, email address and payment card details. To accurately identify a person at the point of registration, multi-factor checks are needed to assess if it is the same individual. For example, what’s the IP address of a device?”

“Operators must be able to take instant action when customer behaviours change, to ensure they provide a positive player experience whilst also meeting their risk, compliance and social obligations.”