Paddy Power Technology

broken image


Therefore, as a Paddy Power customer, you'll be able to place real money basketball bets via your desktop or mobile on the following events: NBA Championship betting, NBA playoffs betting, WNBA Championship betting, NCAA basketball betting, Chinese Basketball Championship betting, Israeli BSL betting and more.

  1. Paddy Power Technology Group

Paddy Power, an Irish bookmaker, which conducts business both offline with a chain of licensed bookmaking (betting) shops in the United Kingdom and Ireland, as well as online and telephone betting services in Ireland has today announced a data breach that dates back to 2010.

In its statement Paddy Power uses the terminology 'historical data breach' because the breach they reference is from 2010. The company has stated they are actively pursuing contact of at least 649,055 of its customers they believe may have possibly been affected, to notify them of the incident.

  • Fixed odds & betting on all the major sporting events including Belarusian Premier League, Nicaraguan Primera Division and Tajikistani Higher League. Bet In-Play Cash Out New Customer Bonus.
  • Paddy Power Betfair was formed in 2016 following the merger of Paddy Power and Betfair. Our vision is to be a world-class sports betting and gaming operator. To do this, we focus on being online, mobile and sports-led, and using our enhanced scale to build on our brands' No.1 position in.
  • Paddy Power Betfair – Why KX Technology Find out why Paddy Power are using KX to completely change their approach to dealing with customer accounts, dramatically improving operational intelligence, and reducing the time to respond with fast accurate.

The data breach included the names, user names, phone numbers, addresses, email addresses, dates of birth, and related prompted security questions. Paddy Power has stated that no credit, debit card, or other financial information has been exposed during the breach.

Power

Additionally, it should be noted that according to Paddy Power the information that was exposed during the breach, or potentially breached back in 2010 would not allow the cyber criminals to access a Paddy Power customer's account. According to Paddy Power the cyber security breach would not affect customers who had joined after 2010, and that their customers who used their services after this date have never been at risk for exposure to their account information.

Paddy Power Technology

Power Paddy has not revealed why the company did not inform its customers in 2010 of the cyber breach to its network systems even though they were aware of the malicious activities of the cyber thieves. Paddy Power's response was to conduct a security audit and update its security protocols without giving notice to its users. The company has said they didn't understand the depth of the cyber intrusion when it occurred in 2010, but still provided no answer as to why customers were not informed of the breach before now, nearly four years later.

What is now known about the Paddy Power breach is that an individual third party became aware of the 2010 data breach by way of a person in Canada who possessed sensitive data of Paddy Power's customers. After Paddy Power verified that the data was genuine and in fact originated from their own network systems, the company contacted law enforcement authorities to bring about a possible criminal investigation.

Once the Data Protection Commissioner had been made aware of the incident, Paddy Power then (in July of 2014) began notifying it's customers of the cyber breach that occurred in 2010.

The lack of transparency to it's customers on the part of Paddy Power is very concerning, but still within the law. The Data Protection Commissioner has a set of standards called 'a code of practice' to guide companies in their response to data breaches, but the code companies are to adhere to is voluntary and not required by law. The commissioner's agency does not have the legal authority to impose fines or charge entities (companies) that do not adhere to the code of practice, which leaves cyber security experts in the field wondering why there is an agency at all if not to see that companies who are breached are forthcoming with its potential victims?

For your convenience and perusal we have included the following statement made by Paddy Power to its customers below:

PADDY POWER ADVISES CUSTOMERS OF HISTORICAL DATA BREACH

31 Jul 2014

Paddy

Additionally, it should be noted that according to Paddy Power the information that was exposed during the breach, or potentially breached back in 2010 would not allow the cyber criminals to access a Paddy Power customer's account. According to Paddy Power the cyber security breach would not affect customers who had joined after 2010, and that their customers who used their services after this date have never been at risk for exposure to their account information.

Power Paddy has not revealed why the company did not inform its customers in 2010 of the cyber breach to its network systems even though they were aware of the malicious activities of the cyber thieves. Paddy Power's response was to conduct a security audit and update its security protocols without giving notice to its users. The company has said they didn't understand the depth of the cyber intrusion when it occurred in 2010, but still provided no answer as to why customers were not informed of the breach before now, nearly four years later.

What is now known about the Paddy Power breach is that an individual third party became aware of the 2010 data breach by way of a person in Canada who possessed sensitive data of Paddy Power's customers. After Paddy Power verified that the data was genuine and in fact originated from their own network systems, the company contacted law enforcement authorities to bring about a possible criminal investigation.

Once the Data Protection Commissioner had been made aware of the incident, Paddy Power then (in July of 2014) began notifying it's customers of the cyber breach that occurred in 2010.

The lack of transparency to it's customers on the part of Paddy Power is very concerning, but still within the law. The Data Protection Commissioner has a set of standards called 'a code of practice' to guide companies in their response to data breaches, but the code companies are to adhere to is voluntary and not required by law. The commissioner's agency does not have the legal authority to impose fines or charge entities (companies) that do not adhere to the code of practice, which leaves cyber security experts in the field wondering why there is an agency at all if not to see that companies who are breached are forthcoming with its potential victims?

For your convenience and perusal we have included the following statement made by Paddy Power to its customers below:

PADDY POWER ADVISES CUSTOMERS OF HISTORICAL DATA BREACH

31 Jul 2014

– No financial information or customer passwords accessed in hacking incident
– Full investigation shows no evidence customers' accounts adversely impacted
– Incident restricted to a number of customers who held an account in 2010, no impact on customers who opened accounts after this time

Paddy Power is today (Thursday, 31st July 2014) contacting certain customers in relation to an historical data breach. No financial information or customer passwords were compromised in the isolated incident and customers' accounts are not at risk as a result. The full extent of the 2010 data breach became known to the Company in recent months when it took legal action in Canada with the assistance of the Ontario Provincial Police to retrieve the compromised dataset from an individual.

Paddy Power takes its responsibilities regarding customer data extremely seriously and it is deeply regrettable that this breach happened. Paddy Power has engaged with the Office of the Data Protection Commissioner on this issue and kept them updated on the action taken by the Company.

The historical dataset contained individual customer's name, username, address, email address, phone contact number, date of birth and prompted question and answer. Customers' financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised. Paddy Power's account monitoring has not detected any suspicious activity to indicate that customers' accounts have been adversely impacted in any way.

The accessed information alone would not have been sufficient to grant access to a Paddy Power customer account and this incident has no impact on customers who opened accounts after 2010.

Paddy Power is today pro-actively contacting 649,055 affected customers on this issue. Customers are being advised to review other sites where they use the same prompted question and answer as a security measure and update where appropriate.

We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result. We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach. We are communicating with all of the people whose details have been compromised to tell them what has happened.

Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats. This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure.

Additional Resources About This Breach:

The beauty of open source software is that it allows you to create, experiment and transform code, and even give it a higher purpose. After discovering and deep diving into a new and exciting security scanning tool, with the help of our engineering team, we began making this tool into something more. What initially could have been used for red-teaming, bug bounty hunting or hacking in general was transformed into a tool that can help blue teams defend against the bad guys better.

A bit over a year ago, Paddy Power Betfair's Application Security Engineering team started an endeavour to adapt a trending, secrets scanner, calledshhgit. On a daily basis, our team works on creating and implementing the necessary tools to ensure applications are developed and delivered with the best quality standards to existence. As soon as we learned more about this tool, we all immediately saw its potential to help us raise awareness and proactively reduce the possibility of leaking sensitive tokens and secrets into source code.

What is Shhgit?

Shhgit, is an open-source tool that finds committed secrets and sensitive files across GitHub and its Gists in real time. Simply put, it makes heavy usage of GitHub's API to find public code repositories containing leaked secrets or files. It was developed to raise awareness and bring to life the prevalence of this issue.

Underneath this high-level definition, shhgit is using a simple regular expression engine to match patterns the user can define against every line of code that exists in that repository. Once a user pushes code into a public repository, the application is triggered to perform a full scan in that repository and emit alerts on findings. The base and default configuration contain over 130 signatures, things like AWS Keys, Google Cloud's or SSH keys. It can detect all these things and many, many more. Some of these secrets, follow specific formats (like the ones mentioned), and that can used to our advantage, to create tools that can detect them.

Why use a secrets scanner?

Data leakage is one of the most common threats companies face, as well as any other software development project, for that matter. Leaking a secret token into the public might not necessarily mean a breach, but it surely facilitates malicious attackers to leverage that knowledge when choosing vectors of attack. The matter is so relevant that lots of tools focus on detecting and alerting when sensitive data is exposed. Amazon´s AWS GuardDuty is probably one of the most well-known examples out there.

Highs and lows of scanning tools – how we got to develop the blue team version

While this tool provided great visibility and information over sensitive data made public, it only sent alerts once the secret was already pushed into the public. Furthermore, it was made so that it sent alerts via a web application and would not easily integrate with our existing notification system. On the other hand, the tool was not ready to be set per repository. That was a key feature we felt required so that we could drop the false positive numbers we could potentially get when using this tool. If each development team could specify the patterns that are relevant to them, or the files that should be ignored, that would ensure that the tool would only notify us when trouble came about. This level of customization was not possible in shhgit, and it is typically hard to find in many other existing solutions.

While these tools provide info about potentially sensitive data made public, they are reactive. Most often, they cannot be customized, making it difficult to be used. They fail to adapt to the specifics of a project, or a company.

While the concept was good, these results gave us the push to understand the tool´s core engine which turned out to be really simple: Regex matching and string comparisons. This single configuration file allows the customization of all options relevant to the scanner. Moreover, we wanted repository-level configuration, so that the tool could adjust itself to the specific needs of each project.

Therefore, we optimized the tool and basically created a blue team focused tool, from scratch, written in another language, reusing most concepts from shhgit, closely integrating our systems and development practices.

How it works

With the way the tool currently works, it allows developers to set-up a secret scanner directly in their GitLab's repositories which will scan new code additions in new merge requests. It can be seen like a step in our continuous integration (CI) pipeline and is an attempt to proactively try and stop developers from accidently leaking database credentials, email addresses, AWS keys or other sensitive data into source code. The base configuration holds formats for pretty much all the tokens you can think off, but here comes the main plus of the tool: you can customize it to your needs, including files and paths to ignore – like test directories and test files, at repository level. This ensures the tool adapts to your project, and not the other way around.

When the tool starts a new scan, (I.e., a new merge request was opened), it searches the repository for a configuration file and if it exists, it will use that instead of the default one. Do you want to ensure no company email is leaked into your source code? Add a regular expression with your company's domain and there you have it. Do you use a tool that has a predictable token format, and it is not there in the default configuration file? Add it in yours! Don't want to run the scans in your test files? No problem, add them in the ignore lists.

For the time being, the project has a little roadmap of features we would like to implement in the near future. These are extensions from the base idea, in hopes that more people can benefit from this project, and also to ensure the tool efficiency.

The first step is, naturally, to integrate the scanner back in GitHub. The platform contains numerous projects, both private and public, and the tech community has a huge presence there. Therefore, we think integration in there is a must. On the efficiency and portability, we want to work on implementing key entropy detection (to try and discover secrets from word entropy, particularly relevant for really sensitive or critical projects), customizable notification level (as in, blocking merge requests or simply alerting developers), and, finally, officially publish a Docker image of this project to facilitate its integration in development teams.

At Paddy Power Betfair, we always work on improving our tooling to ensure a safer software development life cycle. With all our knowledge, research and hands-on experience we believe this tool really fills an existing gap. Luckily, Paddy Power Betfair encourages and allows teams to be openly curious, build new things and grow, both the people and the company. For this I am wholeheartedly thankful. Not everywhere could we find such support to work on this tool and publish it as open-source software.

Since the tool's origins are open source, we wanted to keep it that way. We saw this as an opportunity to give something back to a community that gives so much to developers and teams.

Paddy Power Technology Group

We would love to see inputs and contributions from the tech community, so feel free to contribute to this project. If you are interested in knowing more, or just setting yourself up, please check the repository in GitHub for further information.





broken image