TwoPlusTwo forum hacked

cropped-istock_000012299872medium.jpgPlayers are being asked to exercise caution in what they post in the TwoPlusTwo forum and some have been advised to change their passwords.

Any question of a hack should mean all users would be sensible to change their passwords and to something they do not use elsewhere, that is robust and does not contain dictionary words. If you would like some guidance on the best way to do this, try our main blog here.

If you would like to read the whole story, click here.


Nine years worth of data swiped from Ontario casino – hacker claims

Nine years worth?! OK hackers make as lot of claims, but data going back nine years is almost as impressive as the MySpace hack that reminded everyone that once had a MySpace page.

Does beg the question why they were keeping this old data though…collect it for what you need it for and delete safely!

Full story…

Watch out gambling guys, the ICO is watching

Gambling affiliates be warned that the Information Commissioner’s Office (ICO) is watching for what it considers to be unacceptable levels of ‘spam’ texts to users. A new code of practice is also being introduced with strict requirements for how customer data is used. This is inline with the current Data Protection Act (1998) and ahead of the EU GDPR (new regulation on Data Protection for any data processors using EU citizens’ data) that will be implemented in May 2018. If you want more detail or support on GDPR, please visit our website.

You can read more about it here. 

GDPR and the Gambling Industry

The EU’s General Data Protection Regulation (GDPR) is going to affect all businesses trading in or through the EU and the UK gambling market will also feel it’s impact.

The UK has its own Data Protection Act and the EU Data Protection Directive has been in place since 1995.  But developments in technology and business models have left the rules out of date in many ways and so an overhaul was overdue.

For Gambling, there will be a lot of things to think about and we can’t cover everything in a blog post. But here is some food for thought or a starter at least. You know where we are if you need us.

GDPR will impact all Gambling providers and non-EU providers need to be extra vigilant and take care not to breach these regulations. Most of the regulations are not new but the requirement for compliance will be enforced and a fine of up to 4% of the previous year’s global turnover (or €20,000,000 which is the new, greatly increased, ceiling) for a serious data breach.

Data subjects must be clearly notified their information is being collected and or processed and for what specific purpose. There must be a clearly defined reason for collecting the data that the subject is completely aware of.

Once you have the subjects data, you can only hold and use it for the purpose you collected it for and for no longer than it is required for that purpose. The data subject also needs to to totally clear on who they have lent their data to.

If any ‘data profiling’ takes place, the subject should be informed and of any of the consequences that may arise from it. There should also be a mechanism for the data subjects to withdraw their consent to use their data.

Operators will also be required to notify data subjects within 72 hours of a breach of un-encrypted data.

Stack of Chips

You can get us at

0121 559 6699 / 0207 100 1124

Four Winds casino hit by hackers

Stack of Chips(US) Michigan casino Four Winds has discovered that cardholder data including all of the data stored on the mag strip, has been stolen by hackers and the casino is warning users between October 2014 and October 21, 2015 , that their information may have been compromised and/or stolen.

Cybercrime knows no geography, so it is important not to be distracted by the location of the crime. This may have happened in Michigan, but the criminals could be anywhere.

phishThere are no details available yet on how the hackers managed to upload the code that allowed this information to be copied from the casino system. Phishing of employees is one of the most popular and successful routes into a business and ensuring employees are able to spot phishing and its more aggressive and successful big brother, spear phishing, is imperative. Employees are always going to be the Achilles heel of a security strategy and that is why businesses that handle personal information, need to ensure they place enough importance on training and re-training them with security awareness and the latest threats.

Advent IM HMG accreditation concepts trainingInsider threat is often a worry for many businesses too and it is the other end of the human threat; when the nefarious individual is already on the inside. Obviously, we don’t know what happened in this instance but this offers all such businesses a warning to review security training, vetting and overall strategy.

Nexon data breach – did you hear about it?

Firstly I would like to thank one of our Consultants, Mark Goddard, for his expert opinion in this blog. Over to you, Mark…

So it’s happened again.  Another online gaming company have admitted that their customers’ personal details have been breached.  Nexon have confirmed that up to 13 million names, usernames, encrypted registration numbers and passwords had been hacked.  The reason you might not have heard about it?  ‘It’ was in Korea.  But let us be clear reader, that is no reason to stop reading, be relieved that it wasn’t you or your loved ones who were affected, or think that this does not affect you.

Online gambling and gaming platforms are complex beasties.  You might well be sat in the comfort of your own home / office / igloo, but your personal information, transaction history, and player information are not!  And that means bad people can access your information if the companies you entrust it to, are not careful with it.  We saw earlier in the year how Betfair’s customer information was hacked from Cambodia.  And let’s be clear, this wasn’t some nosey kid with an IQ of 210.  These were bad people who wanted our credit card information to do bad things with.

Likewise, Sony have had a bad year of it too.  In April and October this year their platform’s were hacked, hurting their image and share price.  So, what to do?

Well if you are a user, unfortunately you have very little individual control over how your gambling or gaming service provider protects your information.  Consider using a company based in the European Economic Area (they should have good data protection practice in place) and, when you sign up, watch out for agreeing to permissive disclaimers about where they can store or transfer your information to.  On your part; use strong passwords (e.g. G4mb!ng1 – it’s not that difficult but don’t use that one now!), change your password every so often and always change it if you think it may have been compromised.  Oh, and I know it is convenient to get the computer to ‘remember your password’ but it is just as secure as you think it is (i.e. not very!).

And if you are an online gambling, gaming, leisure or retail company?  Well, tell your customers what you do with their data (including where you keep it), stick to that, ask them if you want to change why or where you want to keep their data, and keep it secure using adequate technical, physical, management and personnel controls based on a sound risk assessment (truly, this need not be difficult, time-consuming or expensive).

Safe surfing!

Mark Goddard.

New Information Security Training dates for 2012

New Information Security Courses now available

ISO 27001 – We have some new dates for Introduction to Information Security 1 day course and the Lead Auditor 5 day course, both running in 2012. The inital dates are all February and details are in the training section of the website along with a booking form if you need one. If you have other training requirements, you can phone and talk to us and we will try to help.