Betfair’s Gamble on Disclosure

Nearly four million records were stolen last year, apparently even encryption keys, from the fast-growing gambling company. The Telegraph reports they were forced to report it to law enforcement, partners and regulators

The theft was so serious that Betfair was forced to inform the UK’s Serious Organised Crime Agency (SOCA), the Australian Federal Police and German law enforcement officials. It also notified the UK Gambling Commission and the Maltese Lotteries and Gaming Authority, as well as Royal Bank of Scotland, its “acquiring bank” – the lender responsible for accepting credit and debit card payments made via Betfair.

They did not, however, report it to the owners of the records who would be impacted

Its July report to regulators states it had decided there was no reason to inform its customers, after taking advice from SOCA that “public disclosure would be detrimental to any intelligence operation or investigation”.

The argument for not disclosing the breach to customers supposedly hinged on a little detail about whether sensitive track data was exposed.

“We have taken the prudent view that the criminal has the expertise to decrypt the payment card details,” Betfair admitted, though stressed that the “CVV2/CVC security numbers” were not stolen.

It said advice from RBS was that “this very significantly limits the ability of the cards to be used fraudulently”.

That’s nonsense, of course. If it were so hard to use data fraudulently then why was it encrypted in the first place? The PCI DSS wouldn’t be so strict about encryption and clean destruction of it if the RBS argument about “significantly limits” were true. We are talking about RBS, another company infamous for weak security, I have to point out.

CVV2/CVC were not present because it is strictly prohibited from being stored, but it’s not like the card brands say go ahead and let the rest of the data float around. More to the point, criminals make fraudulent use of cards all the time without the CVV2/CVC.

It’s a story to make many people upset, surely, but here’s a little humorous twist in the details. They only discovered the breach when a server that should have been used for monitoring for breaches crashed two months after the breach started.

The first Betfair knew of the theft was when a “production log server” crashed in its Malta data centre on May 20 – more than two months after the initial breach. That led to the discovery that “at least nine servers [had] been compromised in the UK and two in Malta”.

Hey, someone check the log server. It stopped responding. Oh, well look at that, the logs say we have been breached for a while.

That might scare some executives into proceeding with caution, but Betfair not only took a gamble by not disclosing the breach to customers, they then took an even bigger gamble — going public while faced with serious operational deficiencies.

Just a month before the decision to press ahead with the float, Betfair had received a “Forensic Investigation Report” on the cyber theft from security consultancy Information Risk Management (IRM).

Its first conclusion was that: “Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks.”

Another one? That “appropriate technical controls relating to such elements as network segregation and file integrity monitoring that would provide Betfair the ability to deter, prevent and detect such an incident are not in place”.

Now we can watch and see how the gambles work out for them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.