The revelation came to light late last week as the betting exchange said it did not disclose in last year’s flotation prospectus the details of attack on customers’ payment card details.
According to the Financial Times, Betfair insisted that all of its advisers for the initial public offering knew about the extent of the incident.
The Betfair exchange – which claims to process five million transactions a day - did not inform its customers about the theft, which it said was of no fraudulent use to the cybercriminals because of encryption and which was recovered intact. It also says it informed the Serious Organised Crime Agency of the attack.
Commenting on the weekend revelations from Betfair, Lieberman Software's president Philip Lieberman, said that, since its creation in June 2000 the Betfair betting exchange has grown to more than 3 million members and processes many millions of bets every single day.
“The majority of gamblers on Betfair use debit or credit cards to fund their accounts, along with Paypal, Moneybookers and other forms of electronic cash, so it is reasonable to assume that the payment card credentials of a large number of these 3.15 million customers were accessed”, he said.
Lieberman went on to say that, while it remains to be seen whether this payment card data was encrypted, the firm is still in clear breach of the PCI DSS rules and may well have been in breach of the Data Protection Act as some customer data was allegedly stolen by cybercriminals in Cambodia.
He added that, as if all this were not bad enough, what he finds incredible is that the data breach by the Cambodian hackers took place on March 14 last year, yet the fact that the breach occurred was not discovered until more than two months later, when a server crash occurred at a Malta-based data centre.
We now know that the Serious Organised Crime Agency, as well as Australian and German law enforcement agencies and the Royal Bank of Scotland - the payment processor for Betfair – were involved at some stage last year, but it is amazing that the betting exchange did not notify its customers of the data breach, he noted.
This all smacks of only doing the bare minimum – as required under law – to deal with a data breach, and not considering the best interests of Betfair's customers. One is forced to conclude that the proximity of the betting exchange's flotation had a lot to do with this, he explained.
The brutal reality, Lieberman says, is that a multi-million pound betting exchange, with operations in several countries, processing millions of transactions every single day, was clearly hacked by Far Eastern cybercriminals, despite the fact that the exchange had claimed previously that its security systems – as required by multiple regulatory authorities – were up to scratch.
“More than anything, the fallout from this episode sends all the wrong messages. It implies that, if you do suffer a data breach - yet only do the minimum checkbox security as required under law – the worst that can happen is that you make the business headlines some eighteen months later. No fines, no censures or anything,” he said.
“Most corporate governance and IT security professionals will be amazed at what has transpired and, as the facts emerge, you can bet your bottom dollar – as many Betfair punters do – that the management of a large number of organisations will conclude that they too can afford to take risks with their data security, and get away with it. That is bad news for the IT security profession and business generally, in my humble opinion.” he added.