Bet24, the online sportsbooking and poker site, has announced Monday that they were the target of a security breach. The company sent out an email to its current and past customers letting them know that some of their personal information may have been compromised. While this is becoming more and more common of late, especially with the Sony scandal a few months ago, what’s particularly unique about the case with Bet24 is that they were hacked in December 2009… and they’re just now telling customers about it, some 19 months later.
When police recovered unauthorized data, including personal and account information belonging to different sites, including Bet24, the Malta-based company came forward and issued a statement something like, “Oh, yeah, by the way, some of your data was lost in a security breach almost two years ago, and since the authorities have already recovered it, we may as well come clean and admit that it happened before someone else tell you.” Really, Bet24’s hesitation to come forward with this information until they absolutely had to begs two questions: first, would they have ever told their customers if the stolen information hadn’t been recovered? Second, how many other online poker sites have had likewise assaults and aren’t reporting them?
The stolen data included customer names and contact information, user account IDs, passwords, and numbers for the card(s) used for payment. Some players have reported fraudulent use of their information both on and off the Bet24 site, and surely they would have liked to have known about the breach a little bit sooner. Bet24’s security notice states, “A small number of customers have alerted us to unauthorised activity on their Bet24 accounts, and we have fully reimbursed them for any financial loss incurred on their accounts.” That’s really the least that they can do, all things considered, but seeing as the poker world is currently filled with players irate because they haven’t been given their money back, Bet24’s attempts to watch their backs by keeping player alarm at a minimum seem to be satisfactory.
What isn’t satisfactory, however, is the unspoken failure attached. As Bet24’s security notice also says, “The stolen information is so far known to have been used to access a limited number of customers’ Bet24 accounts, third-party accounts and personal email accounts.” Now, security breaches happen, and surely Bet24 can’t be held entirely responsible for any information that escaped their site; truthfully, Bet24’s culpability is a more complicated subject that would require analysis of the quality of their security at the time. Waiting 19 months to inform customers of the breach, however, does make them culpable for the damages that resulted. If players had been informed of the types of information taken by the hacker(s), they could have taken the necessary precautions– changing passwords, watching bank statements and other activity more closely, etc. But the fact of the matter is this: Bet24 just sat on the information. They claim that they made efforts to counteract the damage done, but all of these measures– beefing up security, resetting passwords for some customers, etc– don’t take into consideration that the security breach caused a ripple of damage that extended beyond the site.
When asked why Bet24 didn’t report the breach to their customers sooner, a customer service representative (who we can be sure was just providing the script given to all customer service representatives) responded, “We were not aware until very recently that this customer data had been stolen. At the time of the security breach in December 2009 we were advised by our database managers that no data had been copied. We are working closely with the police authorities to establish how the information was stolen, how it has been used, and which customers are affected.”
It seems, Bet24, that discovering these crucial details now is too little, too late.