Nexon data breach – did you hear about it?

Firstly I would like to thank one of our Consultants, Mark Goddard, for his expert opinion in this blog. Over to you, Mark…

So it’s happened again.  Another online gaming company have admitted that their customers’ personal details have been breached.  Nexon have confirmed that up to 13 million names, usernames, encrypted registration numbers and passwords had been hacked.  The reason you might not have heard about it?  ‘It’ was in Korea.  But let us be clear reader, that is no reason to stop reading, be relieved that it wasn’t you or your loved ones who were affected, or think that this does not affect you.

Online gambling and gaming platforms are complex beasties.  You might well be sat in the comfort of your own home / office / igloo, but your personal information, transaction history, and player information are not!  And that means bad people can access your information if the companies you entrust it to, are not careful with it.  We saw earlier in the year how Betfair’s customer information was hacked from Cambodia.  And let’s be clear, this wasn’t some nosey kid with an IQ of 210.  These were bad people who wanted our credit card information to do bad things with.

Likewise, Sony have had a bad year of it too.  In April and October this year their platform’s were hacked, hurting their image and share price.  So, what to do?

Well if you are a user, unfortunately you have very little individual control over how your gambling or gaming service provider protects your information.  Consider using a company based in the European Economic Area (they should have good data protection practice in place) and, when you sign up, watch out for agreeing to permissive disclaimers about where they can store or transfer your information to.  On your part; use strong passwords (e.g. G4mb!ng1 – it’s not that difficult but don’t use that one now!), change your password every so often and always change it if you think it may have been compromised.  Oh, and I know it is convenient to get the computer to ‘remember your password’ but it is just as secure as you think it is (i.e. not very!).

And if you are an online gambling, gaming, leisure or retail company?  Well, tell your customers what you do with their data (including where you keep it), stick to that, ask them if you want to change why or where you want to keep their data, and keep it secure using adequate technical, physical, management and personnel controls based on a sound risk assessment (truly, this need not be difficult, time-consuming or expensive).

Safe surfing!

Mark Goddard.

New Information Security Training dates for 2012

New Information Security Courses now available

ISO 27001 – We have some new dates for Introduction to Information Security 1 day course and the Lead Auditor 5 day course, both running in 2012. The inital dates are all February and details are in the training section of the website along with a booking form if you need one. If you have other training requirements, you can phone and talk to us and we will try to help.

http://www.advent-im.co.uk/information_security.aspx

Betfair and the 3.15 million stolen account details

Gambling online

Its ten days since Betfair’s Director of Security, Sean Catlett, fell on his sword after the frankly unbelievable data breach at Betfair. In those ten days everyone has talked about the fact it was hushed up due to Betfair’s impending float on the London Stock Exchange in October 2010. But that’s hardly surprising is it? The key point is it happened. Not going public is a matter for Betfair and its shareholders, who bought their shares in good faith, blissfully unaware of the theft of millions of credit card details. The point is, this is an online gambling business – securing their customers’ card details is critical. How did it happen?

We are now ten days on and I am quite surprised that there has been no hysterical mainstream media coverage. In fact, only the Telegraph seems to have paid it much attention. I realise there has been some stiff competition for news coverage of data breaches and the NHS seems to have managed the most column inches, a dubious distinction. Sony are challenging with their lockdown yesterday – all of these have been widely reported. I wonder if editors are becoming tired of reporting such breaches as they appear to be happening with monotonous regularity.

Another source of confusion for us here at Advent IM, as Security Consultants, was that Betfair had ISO27001 and we are presuming (a dangerous thing to do) were/are fully PCI compliant. One wonders then, what kind of ongoing compliance checking was happening. Gaining accreditation is important, of course it is, but its the first step on the route to risk managed data security. Threats change all the time and complacency can lead to situations like 3.15 million credit card details being stolen.

Continual checking, refinement, improvement is the way of good quality security policy whether that is ISO27001 or PCI compliance. Complacency invalidates the work required to gain accreditation and secures very little.

gambling on security

Hello and welcome to our blog.

We will be talking about issues that affect the gambling industry with a particular slant on security of all kinds, be that physical, business continuity or information.

The news has been full of data breach on a wide scale. We will be commenting on this soon and would like to invite others to join in. You can email us or comment on the blog.

Watch this space next week.

Ellie

www.advent-im.co.uk