Paddy Power condemned after waiting FOUR YEARS to tell 650,000 customers of data breach

Bad gamble?

Popular gambling site Paddy Power has been heavily criticised after taking an incredible four years to tell 650,000 customers that their personal data has been compromised in a data breach dating back to 2010.

In a website announcement posted on Thursday in advance of customer notification letters, the company sought to play down the incident that only came to light by chance in May 2014 after it took legal action to recover data from an unnamed individual living in Canada after a tip-off.

Once examined, this data turned out to include customer names, web user names, email and home addresses, phone numbers, dates of birth as well as the answers to security questions for 649,055 who joined the service up to 2010.

Account passwords were not compromised and anyone who joined since the time of the breach would not be affected, the company said.

"We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data," claimed the firm's online managing director, Peter O'Donovan.

"That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach," he added.

The firm said it had detected what it described as an "attempted" breach of its systems in 2010 but after investigation decided that no financial information or passwords had been lost.

Despite the PR spin, the company's conduct begs some hard questions.

If it detected a data breach in 2010, why did it not inform the authorities or customers at the time? According to the company's account, the Irish Data Protection Commissioner was only told in May 2014, years after the incident.

It will also sound complacent that the firm has sought to dismiss the breach simply because 'only' personal data was lost; customers might point out that while credit card numbers can be changed, names and dates of birth can't. Financial losses resulting from any breach would have been its responsibility.

"It's shocking to see that Paddy Power has waited over four years to inform its users of the cyber-attack on the company, joining the ranks of eBay and Orange France that also waited far too long between a breach and public disclosure," commented George Anderson of security firm Webroot, hitting the nail square on its head.

"Waiting four years isn't just irresponsible, it's senseless," he said.

Clearswift SVP of engineering Maksym Schipka was equally scathing about the firm's behaviour.

"A breach on this scale, combined with the lack of transparency demonstrated by the company will certainly affect its professional reputation," he said. "It implies a huge failure on Paddy Power's behalf to maintain control and protection of its users' critical information."

The company's incident response is reminiscent of eBay, which in May admitted it had suffered a major data breach of up to 230 million users dating back to February that only came to light after a leak.

Join the CMO newsletter!

Error: Please check your email address.
Show Comments

Supporting Association

Blog Posts

People in vegan houses shouldn't throw bacon

Picture this. You’re at a Gourmerican burger joint chomping a cheeseburger, when an outspoken vegan friend starts preaching that you’re killing the planet. Last week, that same vegan downed a pricey glass of pinot before their flight to a far-flung destination, armed with their strongest mossie repellant and first aid kit. Anything amiss?

Abbie Love

Strategist, Ikon Communications

The role of the CMO is evolving: Are you keeping up?

My (amazing) vacation in the Galapagos Islands earlier in the year got me thinking about Charles Darwin and his theory of evolution. What does this have to do with the role of today’s CMO, you ask? Plenty.

Sheryl Pattek

Vice-president, executive partner

Getting your business ready for the Entrepreneurial Consumer

We all know the digital revolution has completely transformed the way consumers are interacting with brands, and that a lot of businesses are finding it hard to catch up. One way to closing this brand gap is to understand consumer behaviour and build a brand experience that meets these new needs.

Pip Stocks

CEO and founder, BrandHook


Kerry Edwards

Open Colleges taps into social for better student interaction

Read more

Or just go to sites like www.shopsthatshiptoaustralia.c... and others and be sure that the stores will send to where you live :-)


Why online shopping is like dating – RedBalloon CEO

Read more

Personalisation is the key. Customers demand a very relatable and well defined CX where the sincerity and understanding of their disposit...

Hitesh Parekh

In pictures: Improving cutomer experiences through smart personalisation

Read more

Thanks for this. The key for me is the effective of governance where it dictates and sets the proactive policy when it comes to CX. Tech ...

Hitesh Parekh

6 lessons in modern marketing from a customer experience chief

Read more

Very well said “With today’s consumers more demanding of the brands and merchants they shop, it’s imperative for merchants to not just co...


CMO's top 10 martech stories for this week - 29 September

Read more

Latest Podcast

More podcasts

Sign in