Bet24 security breach (email)

[U4EA]

From the email: -

--------

Dear Customer,

We are writing to you as a current or former customer of BET24 because we have been informed by police authorities that they have arrested third party individuals who were in possession of unauthorised copies of personal customer information relating to various companies including BET24. The BET24 customer information was stolen from BET24 by means of illegal electronic access to our database, which is believed to have taken place in December 2009. We have no information to indicate any unauthorised access to our database or breach of our security systems since December 2009, and we have no reason to believe that accounts registered after 31 October 2009 are affected in any way.


FOR CUSTOMERS WITH ACCOUNTS REGISTERED AS AT 28 APRIL 2007, the stolen information comprises:

• a list of customer names, postal addresses, email addresses, dates of birth, BET24 account user names, BET24 account user ID numbers, BET24 account passwords and BET24 account balances, and, in some cases, telephone numbers and IP addresses.
• a second separate list of BET24 account user ID numbers, Bet24 account balances and parameters, customer payment card expiry dates, encrypted customer payment card numbers and encoded customer payment card types.

The encrypted payment card information has NOT to our knowledge been decrypted, and review by internet security specialists confirms that the level of encryption is very high. In addition, NO payment card security codes are stored on the BET24 database. The stolen information is so far known to have been used to access a limited number of customers’ BET24 accounts, third party accounts and personal email accounts. A small number of customers have alerted us to unauthorised activity on their BET24 accounts and we have fully reimbursed them for any financial loss incurred on their accounts. At the bottom of this letter, you will find the security advice and action points that we recommend you to follow immediately.


FOR CUSTOMERS WITH ACCOUNTS REGISTERED BETWEEN 28 APRIL 2007 & 31 OCTOBER 2009, the stolen information is more limited and comprises:

• a list of BET24 account user ID numbers, Bet24 account balances and parameters, customer payment card expiry dates, encrypted customer payment card numbers and encoded customer payment card types.

This stolen information does NOT include any personal details or passwords and is NOT therefore sufficient to enable access to accounts. Furthermore, we are not aware of any instances of illegal access to these accounts. The encrypted payment card information has NOT to our knowledge been decrypted, and review by internet security specialists confirms that the level of encryption is very high. In addition, NO payment card security codes are stored on the BET24 database. At the bottom of this letter, you will find the general security advice that we advise all BET24 customers to follow.

We are working closely with the police authorities to establish how the information was stolen, how it has been used, and which customers are affected.

We implemented a thorough security review in 2010, which included an audit by industry specialists and simulated hacker penetration tests, and we have further upgraded the security of our network. The BET24 passwords for all customers who had registered accounts as at 28 April 2007 were reset during 2010. We continue to monitor our systems and customer transactions constantly, and to upgrade our systems regularly.

Our customers are our number one priority and the security of your personal information is of paramount importance to us. Please contact our customer service support team by email at support@bet24.com if you have any questions relating to the above.

Yours sincerely,
Thomas Petersen, Chief Executive Officer


-----------------------------------------------------------------------------------------------------------------------------------------


RECOMMENDED SECURITY ACTION POINTS


FOR CUSTOMERS WITH ACCOUNTS REGISTERED AS AT 28 APRIL 2007:

- If you have ever used your BET24 password for your email account, then please immediately change your email account password and then change all passwords that you use for any other accounts including your BET24 account.
- If you have not used your BET24 password for your email account but have used it for any other services or accounts, please immediately change the passwords for such services or accounts.
- If you believe that your BET24 account has been compromised in any way, please contact us immediately by email at support@bet24.com.
- Please remain vigilant and regularly review your bank account and payment card statements.
- Please ensure that any requests for personal data or resetting of access codes and passwords that you have previously received, or receive in future, via email, phone and post are from trustworthy parties and in accordance with the terms and conditions of the service or account provider to which they relate.


FOR CUSTOMERS WITH ACCOUNTS REGISTERED BETWEEN 28 APRIL 2007 & 31 OCTOBER 2009:

- If you believe that your BET24 account has been compromised in any way, please contact us immediately by email at support@bet24.com.
- Please avoid using the same passwords for different services or accounts and please immediately reset any such passwords to be different for each service and account.
- Please regularly review your bank account and payment card statements.
- Please ensure that any requests for personal data or resetting of access codes and passwords that you receive via email, phone and post are from trustworthy parties and in accordance with the terms and conditions of the service or account provider to which they relate.

---------

[Super_Dash]

I am as worried as I have been. To my knowledge my OH used moneybookers so that isn't an issue but having my username and password is definitely a headache....

[kamoon]

Well done. The security breach took place in 2009, a security review was done in 2010 and customers were notified in 2011. They get no sympathy from me.

A compensatory bonus would've been nice in the same email but we don't get even that.

Edit: LiveChat:

Brian - Denmark: Thank you for contacting Bet24 Live chat - How may I help You?
Scumbag: Hey, I'd like to ask when did Bet24 find out about the security breach that was mentioned in the email received today?
Brian - Denmark: It should say in the email, but it was in Dec. 2009.
Scumbag: Why would you notify your customers only on July 2011 then? Had you notified your customers in the first place they would have possibly had the time to protect themselves from this information theft. Now we were left on bare rocks.
Brian - Denmark: We were not aware until very recently that this customer data had been stolen. At the time of the security breach in December 2009 we were advised by our database managers that no data had been copied. We are working closely with the police authorities to establish how the information was stolen, how it has been used, and which customers are affected.

[bella]

I joined Jan 09.. worth checking acc history and checking where you are...

[diana11]

It could be how my email account was hacked. Just needed my address and date of birth to get around the security questions on my email account in order to change the password.

My bet 24 account wasn't used as I had been made to change the password on this account last year and I wonder bet 24 they knew something at this time. However other betting accounts were used and my bank account was emptied.

At the time I put it down to a rogue bookie employee but this sounds more likely. My email address was only used at bookies.

[munk]

It could be how my email account was hacked. Just needed my address and date of birth to get around the security questions on my email account in order to change the password.

My bet 24 account wasn't used as I had been made to change the password on this account last year and I wonder bet 24 they knew something at this time. However other betting accounts were used and my bank account was emptied.

At the time I put it down to a rogue bookie employee but this sounds more likely. My email address was only used at bookies.

From what you say your account was created prior to 28th April 2007 so the stolen info included personal details and passwords (whereas later registrants just had the account id/balance/'parameters' + encrypted card details lifted). So maybe they used the email address and password to login to Moneybookers if they were the same that was used on Bet24.

I would imagine any time anyone gets a hold of a database like that that includes email address and password, all those emails and passwords will get tried on Moneybookers and chances are if there are enough of them they will get a few hits and be able to break in. As always (and not to take this thread off topic too much) it's always worth making sure your email address / password for Moneybookers isn't used anywhere else online just in case this kind of thing happens.

PS I joined in December 2008 so I'm in the second group above, not quite so bad but still pretty poor if they took that long to let customers know they were compromised.

[Andy]

Im going to work on the basis that if nothing has happened yet, it is not going to now.

Fingers crossed...

[westv]

Does make you wonder if there have been unreported security breaches at other bookies that we might learn about 2 years after they happened.

[wobbler]

Wow that's some delay lol. Makes you wonder about the breaches that aren't admitted though, there are bound to be a few.

Wes beat me to it!

[The_Ed]

These security breaches are getting too common - considering these multi-million $ companies getting hacked (Sony/playstation for example), is any site safe...?