 (1).png){kind=spacer}
1 month ago
10
Paddy Power and Betfair customers have been warned after a massive cyberattack that compromised their personal details.
The data breach, affecting up to 800,000 Paddy Power and Betfair customers, could leave victims open to phishing attacks, experts say.
Irish-American firm Flutter Entertainment, which owns both gambling brands, said 'an unauthorized third party' gained access to 'limited betting account information'.
The information includes email addresses and IP addresses – the unique string of numbers that can reveal a web user's geographical location.
Flutter Entertainment said it is carrying out a 'full investigation' to understand the scale of the regrettable 'data incident'.
It is working with 'leading IT security experts' to 'terminate any unauthorised access' gained by the cybercriminals, whose identities are unknown.
'There is nothing you need to do in response to this incident, however we recommend you remain vigilant,' it told users.
'Safeguarding and securing our customers' information is of the utmost importance to us.'
The data breach, affecting up to 800,000 Paddy Power and Betfair customers, could leave victims open to phishing attacks, experts say
Up to 800,000 Paddy Power and Betfair customers have had their data compromised after a cyber incident. Both brands are owned by a firm called Flutter Entertainment
Paddy Power and Betfair customers were contacted in an official email about the 'data incident', urging them to 'remain vigilant'.
'The nature of this incident means that regrettably some of your personal information has been impacted,' the email from Flutter Entertainment said.
'We want to be transparent with you and are therefore making you aware of the incident and the measures we have taken.'
According to the firm, an 'unauthorised third party' gained access to 'limited betting account information' relating to up to 800,000 customers.
IP addresses, email addresses and 'online activity data' have been compromised but not passwords, ID documents or 'usable card or payment details', it said.
However, Graham Cluley, a computer expert and security blogger, speculated that some payment card details were in fact compromised too.
'The word 'usable' might be doing some heavy-lifting there; I wonder if some partial payment card details were exposed,' he said in a blog post.
Because email addresses were taken, an 'obvious threat' is phishing – when criminals send scam messages to trick their victims.
Pictured, portion of the email sent to affected customers of Paddy Power after the data breach
What if my account was breached?
Flutter Entertainment said 'there is nothing you need to do in response to this incident'
However, Paddy Power and Betfair users should 'remain vigilant' when it comes to their online activity.
Be suspicious of emails, text messages or phone calls - especially if they claim to be from Paddy Power or Betfair.
Dodgy emails may encourage users to click links or enter credit card information. They may also refer to previous betting habits - data gained from the breach that could make the email seem more legitimate.
'Such emails will perhaps be posing as messages from the companies, in an attempt to trick users into handing over more of their details,' Cluley said.
'So be on your guard!'
Jake Moore, security advisor at ESET, said criminals tend to piece together the data they have to 'carry out a well crafted targeted attack'.
'Criminals are masters of putting what data they can source together to create a phishing email, text message or even a voice call in an attempt to manipulate a victim further,' he told MailOnline.
'Scammers often purport to be from the targeted business – in this case Paddy Power and Betfair – in order to try and capture more details from them in well constructed messages.
'Therefore, people need to be on high alert to such messages and refrain from offering up further information – especially anything financial.
'For example, cybercriminals may try to influence people who have had their email addresses stolen to re-enter their card details into a cloned website or even make them 'log in' with their credentials.'
Tim Rawlins, director at global security firm NCC Group, said customers should be on the lookout for dodgy emails that encourage them to click links or enter credit card information.
Phishing involves cyber-criminals attempting to steal personal information such as online passwords, bank details or money from an unsuspecting victim (file photo)
Such emails may also refer to previous betting habits – data gained from the breach that could make the email seem more legitimate.
'You might re-enter your credit card number, you might re-enter your bank account details, those are the sort of things people need to be on the look out for and be conscious of that sort of threat,' Rawlins told the BBC.
This is not the first time that Paddy Power has suffered a data breach; in 2014, it finally admitted 650,000 customers had had their data stolen four years prior.
Compromised personal details included customers' names, usernames, addresses, email addresses, phone numbers, dates of birth and 'prompted question and answer'.
Fortunately, Paddy Power 'appears to have been more proactive in informing its customers this time,' Cluley added.
MailOnline has contacted Flutter Entertainment for comment.
Phishing involves cyber-criminals attempting to steal personal information
Phishing involves cyber-criminals attempting to steal personal information such as online passwords, bank details or money from an unsuspecting victim.
Very often, the criminal will use an email, phone call or even a fake website pretending to be from a reputable company.
The criminals can use personal details to complete profiles on a victim which can be sold on the dark web.
Some phishing attempts involve criminals sending out infected files in emails in order to take control of a victim's computer.
Any from of social media or electronic communication can form part of a phishing attempt.
Action Fraud warn that you should never assume an incoming message is from a genuine company - especially if it asks for a payment or wants you to log on to an online account.
Banks and other financial institutions will never email looking for passwords or other sensitive information.
An effected spam filter should protect from most of the malicious messages, although the user should never call the number at the bottom of a suspicious email or follow their link.
Experts advise that customers should call the organisation directly to see if the attempted communication was genuine.
According to Action Fraud: 'Phishing emails encourage you to visit the bogus websites.
'They usually come with an important-sounding excuse for you to act on the email, such as telling you your bank details have been compromised, or claim they're from a business or agency and you're entitled to a refund, rebate, reward or discount.
'The email tells you to follow a link to enter crucial information such as login details, personal information, bank account details or anything else that can be used to defraud you.
'Alternatively, the phishing email may try to encourage you to download an attachment. The email claims it's something useful, such as a coupon to be used for a discount, a form to fill in to claim a tax rebate, or a piece of software to add security to your phone or computer.
'In reality, it's a virus that infects your phone or computer with malware, which is designed to steal any personal or banking details you've saved or hold your device to ransom to get you to pay a fee.'
