Breach Reported 18 Months Later
Online Gambling Site Exposes 2.3 Million Payment CardsBetfair's systems breach, which occurred in March and April 2010, was not uncovered until this past May, when a server crashed. Now Betfair says cyberattackers likely gained access to the credit and debit details affiliated with 2.3 million customers.
Around 3.15 million usernames also were exposed, as were security questions. And 2.9 million of those usernames had physical addresses associated with them. Approximately 90,000 had bank account details attached.
In its annual report, Betfair notes that it has "experienced a limited number of security breaches in the past (which have not had a significant effect on Betfair's reputation, operations, financial performance and prospects and in respect of which remedial action has been taken)."
The company also says it must comply with data protection and privacy laws in markets where it operates. "If Betfair or any of the third party service providers on which it relies fails to transmit customer information and payment details online in a secure manner or if any such theft or loss of personal customer data were otherwise to occur, Betfair could face liability under data protection laws."
Despite those data-protection laws, Betfair sat on the breach, a decision that is likely to have a more devastating impact in the long run. In fact, cybercrime and identity theft expert Neal O'Farrell says the Betfair breach will become the poster child for how a company completely fails in security and breach response.
"It should also provide fuel for anyone calling for data breach legislation to include criminal sanctions against management teams that respond to a breach in this way," says O'Farrell, founder of the Identity Theft Council. "This was nothing short of a clumsy cover-up."
What Harm?
Betfair says it kept the breach under wraps because it had determined internally that no customer data had been harmed. But this attitude reflects negligence, experts say.O'Farrell says it's also disappointing that law enforcement may have exacerbated the problem by recommending Betfair not disclose the breach, fearing public knowledge might jeopardize the investigation. "Another reason why law enforcement should not dictate breach response," O'Farrell says.
Gartner analyst Avivah Litan says depending on how transactions are conducted, card information may not have been compromised.
"It's likely that MasterCard and Visa would have detected the breach well before the six-month period transpired," Litan says. But that would only be the case if card issuers noticed fraud or anomalous behavior and notified the card brands. If fraud was detected by other e-commerce retailers and service providers, then it would not likely be reported to MasterCard or Visa.
That said, Litan has more concerns about the breach of personally identifiable information and bank account details. "There is no entity that is looking out for the point-of-compromise of stolen bank accounts, as a matter of practice and routine, as exists with payment cards where Visa, MasterCard and the other card brands have a vested interest in detecting the point of compromise," she says.
Inadequate Security
The deeper concern is that Betfair's security measures for protecting cardholder data and sensitive PII about its users were wholly inadequate.Kevin Lee, CEO of cloud-based payments security provider CRE Secure, says Betfair does not appear to have adhered to any mandates outlined by the Payment Card Industry Data Security Standard, which call for the encryption of cardholder data during transactions. And if data was being stored, which is not yet clear, that obviously violates PCI's basic tenets as well.
"I'm not what sure happened in this case - how the hackers got in," Lee says. "But we do know that the most common form of hack that gets big chunks of card data is malware," he says. "So, the malware is launched and the business doesn't notice anything different."
Betfair, like a majority of merchants, could have been compliant long enough to pass a PCI audit, but perhaps not maintain that compliance. [See Why Merchants Struggle with PCI.]
Verizon's updated Payment Card Industry Compliance Report showed that of the 100 or so global organizations reviewed, only 21 percent have successfully maintained PCI compliance.
Jen Mack, director of PCI Consulting Services for Verizon, says the need for regular risk assessments is the most striking compliance gap. "Many companies are falling in and out of compliance throughout the year," she says. "And if they fall in an out of compliance throughout the year, they're going to remain targets for hackers."
That gap could be addressed by vendors, through the introduction of security solutions that are easy for the merchants to implement and deploy. But merchants have to bear responsibility when gaps and breaches occur.