The office of the Data Protection Commissioner has said it is disappointed that Paddy Power failed to report a major data security breach that occurred in 2010.
In a statement this afternoon, it said the breach should have been reported in line with best practice.
It said that an investigation into the incident was continuing and further recommendations from the office to Paddy Power would result.
The incident, in which details relating to more than 600,000 Paddy Power account holders were stolen, happened in October 2010.
The Data Protection Commissioner's Office said it was satisfied that Paddy Power had implemented measures that would prevent a repeat of the incident and that no financial data or passwords had been compromised.
The incident involved customers who had set up a booking account with the firm before 2011 and included customers' names, usernames, addresses, email addresses, phone numbers and dates of birth, as well as security questions and answers.
Paddy Power said that, following a full investigation, there was no sign of suspicious activity on the affected customer accounts.
The company said it had detected an attack on its database in 2010 and at the time concluded that no financial information had been obtained, though it suspected that some other information may have been taken.
It said that in May of this year it was advised that some customer information was in the possession of an individual in Canada, with the full extent of the breach being revealed after it took legal action to retrieve this.
Paddy Power said it engaged with the Office of the Data Protection Commissioner on the matter, and was now in the process of contacting the 649,055 affected customers.