It has come to light that Paddy Power, a betting firm with an online presence, was breached four years ago, and is now (almost half a decade later) barely notifying its 650,000 customers of the security incident. Paddy Power PLC trades on the Irish Stock Exchange, and generates north of $600M+ euros annually. The data stolen included customer names, usernames, addresses, emails, telephones, and birth dates, “but not passwords”. Paddy Power said any customers that signed up after 2010 are not affected. On the bright side, Paddy Power has invested $4M in beefing up its security. On the not-so bright side, the company should have notified customers way before. I’m sure Paddy Power has righted the ship, and won’t let this type of incident happen again.
Security breaches happen to the best of them. Online companies get a free pass to a breach, as long as it’s not too severe, but if it happens a second time, then things definitely have to change. Either with the changing of the guard, or the addition of an InfoSec team dedicated to securing the online properties. The damages for a breach nowadays are heavy, and it’s going to hit the breached company in the pocket book in three areas 1) they will need to hire an outside security outfit to audit the technology stack 2) the company will need to buy lots of security products to beef up security and 3) breached companies will need to pay out large sums of money when they get sued by customers. Add these three together, and we’re talking about millions of dollars in damages.