SureBet247 shows how not to handle a data breach PR crisis

surebet247-nigeria-betting-data-breach

surebet247-nigeria-betting-data-breachNigerian sports betting operator SureBet247 is denying that its internal systems have been compromised by hackers, even as customers’ private information appears to be circulating on the internet.

Last week, Africa-focused digital technology news site iAfrikan reported that SureBet247 appeared to have suffered a security and data breach. The data – customer names, email addresses, dates of birth and betting records – was discovered in December by an anonymous source who tipped off Australian security researcher Troy Hunt.

Hunt, who runs the haveibeenpwned.com service, confirmed that at least some of the names in the database – including a German citizen living in Germany, raising concerns of violations of the European Union’s General Data Protection Regulation – had indeed registered with SureBet247 and that the personal information in the data Hunt received was accurate.

Convinced that the data was genuine, Hunt attempted to contact SureBet247’s parent company ChessPlus International Ltd without success. Hunt then contacted iAfrikan’s Tefo Mohapi, who was able to contact SureBet247, but received what he charitably described as a “nonchalant” response.

On January 4, SureBet247’s official Twitter account urged followers to “kindly ignore the information going round about a hack into our system.” The tweet went on to say that all “sensitive private and financial information are stored on a secured server and protected by the best firewall to prevent intrusions.”

SureBet247 appears to have made this claim without ever seeing the data that both Mohapi and Hunt tried to discuss with the company. SureBet247’s Twitter also blocked the accounts of Mohapi, Hunt and any customer who subsequently confirmed their information was among the data Hunt received.

Also on January 4, SureBet247’s managing director Sheriff Olaniyan sent iAfrikan a message saying SureBet247’s management “seriously frown at this malicious news been [sic] promoted by your organization.” Olaniyan denied that any customer data had been “breached or exposed” and called iAfrikan’s reporting “pure blackmail.”

Olaniyan also claimed that the anonymous individual who came forward with the data breach “was asking for payment and this was demanded from us.” Both Hunt and Mohapi concluded that the company was almost certainly the target of a shakedown but that didn’t negate the fact that sensitive data had been obtained.

On Monday, Nigerian media reported that the country’s National Information Technology Development Agency (NITDA) had asked its Data Breach Investigation Team to look into the matter.

While SureBet247 customers represented the bulk of the stolen data, files bearing the names of several other betting operators – including BetAlfa, BetWay, BongoBongo and TopBet – also appeared in the compromised data that Hunt received. Mohapi’s attempts to contact any of these operators were also met with silence.