Betfair and the 3.15 million stolen account details

Gambling online

Its ten days since Betfair’s Director of Security, Sean Catlett, fell on his sword after the frankly unbelievable data breach at Betfair. In those ten days everyone has talked about the fact it was hushed up due to Betfair’s impending float on the London Stock Exchange in October 2010. But that’s hardly surprising is it? The key point is it happened. Not going public is a matter for Betfair and its shareholders, who bought their shares in good faith, blissfully unaware of the theft of millions of credit card details. The point is, this is an online gambling business – securing their customers’ card details is critical. How did it happen?

We are now ten days on and I am quite surprised that there has been no hysterical mainstream media coverage. In fact, only the Telegraph seems to have paid it much attention. I realise there has been some stiff competition for news coverage of data breaches and the NHS seems to have managed the most column inches, a dubious distinction. Sony are challenging with their lockdown yesterday – all of these have been widely reported. I wonder if editors are becoming tired of reporting such breaches as they appear to be happening with monotonous regularity.

Another source of confusion for us here at Advent IM, as Security Consultants, was that Betfair had ISO27001 and we are presuming (a dangerous thing to do) were/are fully PCI compliant. One wonders then, what kind of ongoing compliance checking was happening. Gaining accreditation is important, of course it is, but its the first step on the route to risk managed data security. Threats change all the time and complacency can lead to situations like 3.15 million credit card details being stolen.

Continual checking, refinement, improvement is the way of good quality security policy whether that is ISO27001 or PCI compliance. Complacency invalidates the work required to gain accreditation and secures very little.


2 thoughts on “Betfair and the 3.15 million stolen account details

  1. The question I would be asking is who signed them off as compliant? There is a world of difference between information security and accredited compliance. The pressure on those consultants to sign off accreditation will have been immense. What will also be interesting therefore is the scope of the compliance. An organisation with accreditation is assumed to be compliant but it depends what that accreditation actually covers. Good audit practice question number 1 – can I see your scope statement. Shame on the Security Consultants that signed them off – I bet that that is not in their marketing literature.

Comments are closed.