How Paddy Power pursued data breach to Ontario home

Story of how contact details for 650,000 of bookmaker’s customers was put up for sale

Staff at Paddy Power’s  office in Belfield Office Park, Dublin. The bookmaker revealed last month that almost 650,000 customers were affected by a data breach in 2010.Photograph: Dara Mac Dónaill /The Irish Times
Staff at Paddy Power’s office in Belfield Office Park, Dublin. The bookmaker revealed last month that almost 650,000 customers were affected by a data breach in 2010.Photograph: Dara Mac Dónaill /The Irish Times

Jason Ferguson said the job was straightforward: buy a gambling company's client data and flip it to a rival who could use the information to win new customers. Instead, the story ended last month with a fleet of cars arriving outside his home in a cul-de-sac in a suburb of Brockville, a town three-and-a-half hours drive northeast of Toronto. The convoy included forensics experts and representatives of Paddy Power, the operator of the largest online sports book in the UK and Ireland.

After Ferguson was shown court orders, the 40-year-old led the team to his basement, where they seized a hard drive and other equipment containing the names, contact details, addresses, dates of birth, and secret questions and answers for more than 600,000 Paddy Power clients that they later wiped clean. “Should I have had the data?” Ferguson, a tattoo of a hand fanning out four aces on his right forearm, said in an interview with Bloomberg News at the only Starbucks in town over a chai latte. “Is it ethical? To my knowledge, there’s no precedent. I thought I was acting within the realm of legality.”

Canadian police agreed, with no charges being laid against Ferguson, who was flagged to Paddy Power by a London gaming consultant posing as a potential buyer. Yet the tale of how a Dublin-based company's stolen data ended up in an Ontario basement 3,100 miles away, via a detour to the Mediterranean island of Malta, illustrates the challenges facing companies and institutions across the globe, ranging from Target to the European Central Bank, grappling with personal-data breaches.

Mega breaches

READ MORE

"Many countries have anti-hacking or data privacy laws that criminalise the theft of personal data, but there is no harmonised position on buying and selling data that has been stolen," said Richard Jones, director of data privacy at Clifford Chance LLP in London. "Even in a strict regime it may not be possible to prosecute someone who didn't know, or claims not to have known, that the data they were buying was stolen."

Eight "mega breaches" last year exposed more than 10 million identities each, compared with one in 2012, according to Mountain View, California-based Symantec, the biggest maker of anti-virus tools. Last month, hackers broke into a database belonging to the ECB and attempted to use the information to extort cash from the institution. Hackers last year stole 40 million credit and debit card details along with 70 million addresses, phone numbers and other information from Target, the second-biggest US discount retailer.

For Paddy Power, the story began with a cyber attack in late 2010, according to a company statement on July 31st and court filings. Paddy Power said it detected "malicious activity" in an attempt to breach its security system, overseen by Paddy Power's chief executive officer Patrick Kennedy (45), as he sought to win a share of surging online betting.

Now one of Ireland’s biggest publicly traded companies, Paddy Power has more than 1.9 million online customers. Through an outside spokesman, the company declined to comment beyond its statement last month, which apologised for the breach.

As Kennedy was building the business, Ferguson was dealing with the failure of his Bumble B Boutique, a children’s clothing consignment store which closed after seven months in a center of a town he described as “dying”.

Born and raised in Brockville, he said he had three kids from his first marriage to support. Dressed in a black t-shirt, cargo shorts and a blue bandanna, with sunglasses perched on his head, he said he’s been making money from online gambling, arbitrage betting, and working as an “affiliate” for almost half his life. Affiliates essentially refer potential clients to betting companies.

On radar

Ferguson bought the Paddy Power data in December 2013 through an online message board from a contact based in Malta whose profile was titled “Gambling,” he said. Months later, the contact offered him a new set of data for 7,600 euros ($10,200), he said. “I bought lots of data for marketing but I did not hack anything,” Ferguson said in the interview. That’s when Ferguson popped up on Joe Saumarez Smith’s radar. Saumarez Smith, who runs a UK management consulting company that helps online gaming firms probe data breaches, said in a phone interview he came across across Ferguson as he investigated the theft of a another company’s data, and contacted him via LinkedIn.

“Exclusive rights”

Through Skype and e-mails, Ferguson told Saumarez Smith that he'd consulted for "major companies and individuals" in the brokering of gaming databases, according to documents Paddy Power filed in court in Canada as part of its civil case to retrieve the data. The Paddy Power data was among a package of lists Ferguson was selling for his Maltese contact, according to court filings. "This data is very very good and a unique marketing opportunity as you can get immediately a ton of players and affiliates," Ferguson wrote in a May 6th email to Saumarez Smith contained in the filings.

“As you can see it’s VERY extensive and easily monetised.” “You get exclusive rights as he wants to foster repeat business and long-term relations with people,” Ferguson wrote in a separate email. “Once I pay him the cash, he delivers all links.”

Ferguson wanted €7,600 for the files and sent Saumarez Smith a sample of the data, the documents show.

Not unusual

On May 6th, Saumarez Smith sent an email to Andrew Algeo, Paddy Power’s commercial director, according to the filings. The men had known each other for 11 years, and now Saumarez Smith was ready to turn over the data to his acquaintance. “What’s happened to Paddy Power isn’t unusual,” Saumarez Smith said in a phone interview on August 7th. “What’s unusual is that Paddy Power have been so open about it.”

A Paddy Power group of nine employees, known as the ISR Team, starting analysing the sample, a process which took five days, according to the filings. Concluding it belonged to the company, Paddy Power sought two orders from the Ontario Superior Court.

“Paddy Power was unable to determine the exact nature of the role played by Ferguson in the theft of the stolen data,” the company said in the filings. “It remains possible that Ferguson was merely a middle man seeking a buyer for an unidentified contact and as such wasn’t actively involved in orchestrating the theft of the stolen data.”

Files combed

The first order allowed the company access to Ferguson's bank account. The second allowed the company's representatives to search his property, seize his digital devices, and delete the stolen data. At about 5pm on July 7th, Paddy Power's lawyers led the team to Ferguson's home. He was interviewed in his backyard while experts combed through his electronic files, kept in his basement, according to court filings. When the team came to his home, Ferguson said he told them just how fruitless their search was.

“I told them ‘make no mistake about it, it’s everywhere now,’” Ferguson said in the interview. “I mean, you’re talking about four years.”

As Ferguson’s visitors carted his digital items out of his home in Brockville last month, he pleaded with them to cover the equipment in plastic bags, worried his neighbours would think he was caught up in a drug or child pornography bust.

Breach revealed

Ferguson didn't know how an alleged Malta-based online trader had obtained the information, he said in the interview with Bloomberg News. Paddy Power declined to comment on whether it was pursuing this unidentified trader. Ontario Provincial Police, which were contacted during the case, have completed their role and have not laid criminal charges against Ferguson, said Chrystal Jones, a police spokeswoman.

"There are no illegal acts being committed, according to the part we've been involved in so far," Jones said. "Client data protection laws aren't always uniform," and companies are often left on the hook as a result, said Terri Mason, head of professional indemnity for Allianz Global corporate and specialty in Canada, a unit of Allianz SE, Europe's biggest insurer.

In Canada, it’s not as clear as in the US on whether or not it’s illegal to buy and sell private third-party data digitally, she said.

“Very disappointed”

The stolen data didn’t include financial information, and would not have allowed access to customer accounts, Paddy Power said in court filings. After the seizure, Paddy Power braced for a firestorm back in Dublin. In a statement posted on its website on July 31st, the company revealed the security breach for the first time publicly, and started alerting 649,000 customers affected. While the data didn’t include account passwords or financial information, and would not have allowed access to customer accounts, the company apologised for one of the biggest data breaches in Irish corporate history.

The story became front-page news in Ireland, and the government criticised the company for waiting until this year to inform Ireland’s Data Protection Commissioner of the breach.

“I am very disappointed that it has taken until now for Paddy Power to inform its customers,” Minister for Data Protection Dara Murphy said in a statement. “While it’s not mandatory to report such breaches, it is recommended best practice.”

In its statement, the company said it learned of the full extent of the breach in recent months when it retrieved the compromised data. The company’s shares have dropped 1.2 per cent since the July 31st statement.

Back in Ontario, for Ferguson, life goes on. For the past year, he has been taking online courses through a UK-based college for a certificate in hypnotherapy. His goal is to open a clinic in Ottawa to help children with autism. About two weeks ago he went camping with his family, started a fire, and threw his hard drive - with Paddy Power’s confidential data recently wiped clean -- into the flames, he said. “I’m never having that happen again,” he said. “I don’t want to be that guy. This isn’t the life that I want.”

Bloomberg