Online betting company Betfair allegedly had sensitive customer data stolen from its servers just months before the company's flotation last year, a report by the UK Telegraph newspaper claims.
The data was reportedly stolen by suspects in Cambodia during a time space of March 28th to April 9th, 2010. The stolen data reportedly includes:
payment card details of most of its customers;
3.15 million account usernames with encrypted security questions;
2.9 million usernames with one or more addresses; and
89,744 account usernames with bank account details.
The attack was discovered more than two months after the breach, when a production log server crashed at Betfair's data center in Malta. After discovering the first breach, Betfair discovered another nine servers that had been compromised in the UK, with two more in Malta.
The report states that Betfair informed several authorities, but did not tell its customers. Among the authorities contacted were the UK Serious Organized Crime Agency, Australian and German law enforcement, UK and Maltese regulators, and Betfair's own credit card processor the Royal Bank of Scotland.
Betfair claims that customers were no way in risk in regards to their stolen data, and that the data taken was unusable for criminal activity. The betting exchange did reveal that the criminals did have the ability to get credit card payment details, but did not have the CVV2/CVC numbers on the cards, which limits their ability to be used fraudulently.
A report on the incident was released by Information Risk Management which said, Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks."