Betfair customer bank info hacked just months before company went public

betfair-customer-data-theftBetfair Australia CEO Andrew Twaits recently sat down to talk tech with Computerworld Australia. Twaits is stoked about a new mobile product being developed in HTML5 that will make its debut in late October. In the meantime, Twaits expects his firm will handle three to 3.5m wagers this weekend as both the National Rugby League and Australian Football League finals commence, but he’s confident that his infrastructure can “easily” cope with 8k+ hits per second “over extended periods of time.” Then again, Twaits admits that “the core technology platform is run out of the UK,” where a Betfair spokesperson just this week advised punters to avoid peak hours, lest they find their £16k winning bets voided into the ether.

Twaits may have far greater concerns with the home operation’s technology. The Telegraph’s Alistair Osborne is reporting that the account info of millions of Betfair customers was stolen by (possibly Cambodian) cyber-thieves just months before the betting exchange went public last October.

On March 14, 2010, Betfair’s system was breached, but the intrusion wasn’t noticed until May 20, when a production log server at Betfair’s data center in Malta crashed. In total, two servers in Malta and “at least nine” more in the UK had been compromised. The data was extracted “beyond Betfair’s information systems perimeter via compromised hosts located within public internet service providers.”

An internal ‘Project Brazil Progress Report’ dated Sept. 27, 2010 – six days after CEO David Yu announced the company intended to go public – revealed that “the attacker did indeed manage to copy the entire Sportex database,” making off with 2.28m “encrypted payment card account numbers and details”, 3.16m “account user names with encrypted security questions” and 89,744 “account usernames with bank account details.”

Betfair duly informed the UK Gambling Commission and the Maltese Lotteries and Gaming Authority of the breach, stating: “We have taken the prudent view that the criminal has the expertise to decrypt the payment card details.” However, the CVV2/CVC security numbers were not stolen, which Betfair believed “very significantly limits the ability of the cards to be used fraudulently”. As such, Betfair concluded there was no reason to inform its customers, adding that “public disclosure would be detrimental to any intelligence operation or investigation” being conducted by the UK’s Serious Organized Crime Agency.

A ‘Forensic Investigation Report’ prepared by digital security consultants Information Risk Management concluded: “Information security was not implemented in accordance with best practice … appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks … appropriate technical controls relating to such elements as network segregation and file integrity monitoring that would provide Betfair the ability to deter, prevent and detect such an incident are not in place.”

When the company’s prospectus appeared, Betfair informed investors only that it had “experienced a limited number of security breaches in the past [which have not had a significant effect on Betfair’s reputation, operations, financial performance and prospects and in respect of which remedial action has been taken]”.

Since details of the Betfair breach became public, a company spokesman released the following: “Eighteen months ago we were subject to an attempted data theft. Because of our security measures, the data was unusable for fraudulent activity and we were able to recover the data intact. At the time, we contacted all the relevant authorities and worked closely with them regarding this matter and it was established that there was no risk to customers.”