The gambling website Paddy Power recently began notifying 649,055 customers that their personal information may have been exposed as a result of a data breach in 2010.
Paddy Power was notified in May 2014 that an unidentified person in Canada was in possession of a customer database dating from 2010. The company then sought two court orders to seize the individual's IT assets, including the database in question. The court orders were executed during the week of July 7, 2014.
"Paddy Power had detected malicious activity in an attempted breach of its data security system in 2010," the company said in a statement. "A detailed investigation was undertaken at the time and determined that no financial information or customer passwords had been put at risk. It was, however, suspected that some non-financial customer information may have been exposed and a full review of security systems was undertaken."
The stolen data included 649,055 customers' names, user names, mailing addresses, email addresses, phone numbers, birthdates, and security questions and answers. No financial data or passwords were exposed.
"We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data," Paddy Power managing director Peter O'Donovan said in a statement. "That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach."
Still, Webroot director of product marketing George Anderson says the company's delay in announcing the breach is inexcusable. "It's shocking to see that Paddy Power has waited over four years to inform its users of the cyber attack on the company, joining the ranks of eBay and Orange France that also waited far too long between a breach and a public disclosure," Anderson told CSO Online. "Waiting four years isn't just irresponsible, it's senseless."
Last month, the Australian shopping site Catch of the Day made a similarly delayed breach announcement -- the company announced in July 2014 that it had been hit by a cyber attack on May 7, 2011, which exposed hashed passwords, names, mailing addresses and email addresses, as well as some credit card information.
"As technology advances, there is a risk those hashed passwords become compromised, and Catchoftheday decided in light of these developments to proactively inform customers," the company said in a statement on Facebook.
One customer replied on Facebook, "I just realized this was around the time my card was canceled and my bank couldn't tell me why and who except that someone tried to access my account ... I had to wait over a week for a new card, new number and a lot of hassle. Well thanks for letting me now 3 yrs later. ... I was a good customer. Now I know not to buy from you again."
"We unreservedly apologize to our customers for this incident," Catch Group executive general manager Jason Rudy said in a statement. "We take data security seriously and have taken strong measures to protect their personal information. We have committed significant resources both internally with a large dedicated team and externally via expert consultants to ensure we meet industry standards."
AVG security advisor Michael McKinnon told SmartCompany that Catch of the Day had likely been advised by its legal team not to disclose the breach when it was first discovered. "Actually admitting it when you don't have to opens up legal liability," he said.
Still, McKinnon said, the reputational impact of a delayed breach notification like Catch of the Day's can be far greater than it would have been had the breach been disclosed right away
As Rapid7 global security strategist Trey Ford recently told eSecurity Planet, swift and clear communication following a data breach can make a huge difference. "More information tends to be better than less," he said. "People want to be able to understand so they can maintain a level of trust."
In another article, eSecurity Planet also collected tips from attorney Alia Luria and other experts on how to respond to a data breach.
Photo courtesy of Shutterstock.