Here are some of the comments Help Net Security received:
Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre
It is disappointing that if Paddy Power knew about this breach in 2010 that they are now only notifying customers and the Data Protection Commissioner. Indeed, the Irish Data Protection Commissioner is "disappointed" the breach was not reported by Paddy Power sooner.
When we are engaged with clients who suffer a security breach and there is any indications it may have impacted on personal information, we recommend the client engages with the Data Protection Commissioner as early as possible. Should the subsequent investigations highlight that personal data was exposed, then the company is in a much better position with the DPC.
What this incident highlights is that companies must expect and plan for security breaches. There is no such thing as 100% security and breaches will happen. It is how the organization responds and deals with a security incident that will determine what impact the breach will have. To this end companies need to ensure their security team has the appropriate tools, resources, and most importantly the time, to fully investigate the extent of a breach.
Paddy Power’s notice to customers is a good example for other companies to follow should they suffer a breach. It provides details to customers of what happened, the potential impact, advise on what they should do, and what the company is doing to rectify the situation.
Paul Ayers, VP EMEA at Vormetric
There are two key takeaways from today’s revelation that Paddy Power suffered a data breach in 2010. First, given the scale of the numbers involved and type of data stolen – names, addresses, dates of birth, and security question answers of some 649,000 customers – it is clear a database was at the heart of the attack. Second, is the fact that it took some four years for the event to be made public.
Businesses continue to be targeted for customer’ data, and must appreciate the value of the sensitivity of the information they collect – and today’s events will add further weight to the mandate for tighter breach notification laws. Given the most recent draft of the proposed EU Data Protection Regulation stipulates that data controllers are obliged to notify the relevant privacy regulator of a breach within a 72 hour period, businesses across the board need to be ready to respond to breach incidents much faster.
Applying data-centric controls like encryption around all information – buffered with security intelligence and access control capabilities – regardless of where data resides in the business infrastructure, will help protect against both the likelihood of a security breach arising in the first place and, crucially, the adverse consequences of one – both for individuals whose data is compromised, and also for the business in terms of mitigating its liabilities following a breach. The race is on to protect data from hackers, and the safe bet is encryption.
Mark James, Technical Team Leader at ESET
It is imperative not only for customer relations but for security sake that these breaches are reported to the end users as soon as possible. I understand there are a set of guidelines the ICO impose regarding notifying them (24 hours) and the public (no time frame) but I personally believe the damage is much worse the longer you leave it.
Paddy Power state that they have “not detected any suspicious activity to indicate that customers’ accounts have been adversely impacted in any way” but often the data is not used for that purpose - it’s the basis for other activities and that’s why the end users need to be informed as soon as possible.
649,055 users pieces of potential data that can be used to gain access to other online accounts inc customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answers is always an issue.
The only thing we the end user can do to mitigate the damage is to change the password if used on other sites but it’s also things like secret questions and answers. If we are aware of the breach we can ensure these answers are not used in the future.
Troy Gill, Senior Security Analyst at AppRiver
There is no need for panic here since no financial or password info has actually been exposed. It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username.
Of course these events at the very least serve as a great reminder to keep up good security practices – utilizing different passwords for each account - even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road. However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed.
As more disclosure laws are being implemented all the time, I expect to see an upward trend in data breach disclosures over the near future. In this case it appears they only recently verified that the data had actually been stolen back in 2010.
Ken Westin, Tripwire Security Analyst
There are two types of breaches, those that are detected that we hear about in the media and those that just have not been detected yet. Increasingly breaches are going undetected, data is being pilfered without any indicators to the organization.
With these types of breaches when we only identify the breach after the fact and only when the data is leaked and traced back to its origins. We only know there is a fire when we see smoke and the arsonist is long gone. It is really scary to realize how much potential breached data is available in black markets that we don't even know about.