On the trail of Paddy Power's data breachMonday 11 August 2014 16.01
Bloomberg followed the trail of how contact details for 650,000 of the bookmaker’s customers was put up for sale and ended up making its way to Canada via Malta.
Jason Ferguson said the job was straightforward: buy a gambling company’s client data and flip it to a rival who could use the information to win new customers.
Instead, the story ended last month with a fleet of cars arriving outside his home in a cul-de-sac in a suburb of Brockville, a town three-and-a-half hours drive northeast of Toronto. The convoy included forensics experts and representatives of Paddy Power Plc, the operator of the largest online sports book in the U.K. and Ireland.
After Ferguson was shown court orders, the 40-year-old led the team to his basement, where they seized a hard drive and other equipment containing the names, contact details, addresses, dates of birth, and secret questions and answers for more than 600,000 Paddy Power clients that they later wiped clean.
"Should I have had the data?" Ferguson, a tattoo of a hand fanning out four aces on his right forearm, said in an interview with Bloomberg News at the only Starbucks in town over a chai latte.
"Is it ethical? To my knowledge, there’s no precedent. I thought I was acting within the realm of legality."
Canadian police agreed, with no charges being laid against Ferguson, who was flagged to Paddy Power by a London gaming consultant posing as a potential buyer.
Yet the tale of how a Dublin-based company’s stolen data ended up in an Ontario basement 3,100 miles away, via a detour to the Mediterranean island of Malta, illustrates the challenges facing companies and institutions across the globe, ranging from Target Corp. to the European Central Bank, grappling with personal-data breaches.
"Many countries have anti-hacking or data privacy laws that criminalize the theft of personal data, but there is no harmonized position on buying and selling data that has been stolen," said Richard Jones, director of data privacy at Clifford Chance LLP in London.
"Even in a strict regime it may not be possible to prosecute someone who didn’t know, or claims not to have known, that the data they were buying was stolen."
Eight "mega breaches" last year exposed more than 10 million identities each, compared with one in 2012, according to Mountain View, California-based Symantec Corp., the biggest maker of anti-virus tools.
Last month, hackers broke into a database belonging to the ECB and attempted to use the information to extort cash from the institution.
Hackers last year stole 40 million credit- and debit-card details along with 70 million addresses, phone numbers and other information from Target, the second-biggest U.S. discount retailer.
For Paddy Power, the story began with a cyber attack in late 2010, according to a company statement on July 31 and court filings.
Paddy Power said it detected "malicious activity" in an attempt to breach its security system, overseen by Paddy Power’s Chief Executive Officer Patrick Kennedy, as he sought to win a share of surging online betting.
Now one of Ireland’s biggest publicly traded companies, Paddy Power has more than 1.9 million online customers.
Through an outside spokesman, the company declined to comment beyond its statement last month, which apologized for the breach.
As Kennedy was building the business, Ferguson was dealing with the failure of his Bumble B Boutique, a children’s clothing consignment store which closed after seven months in a centre of a town he described as "dying."
Born and raised in Brockville, he said he had three kids from his first marriage to support.
Dressed in a black t-shirt, cargo shorts and a blue bandanna, with sunglasses perched on his head, he said he’s been making money from online gambling, arbitrage betting, and working as an "affiliate" for almost half his life. Affiliates essentially refer potential clients to betting companies.
Ferguson bought the Paddy Power data in December 2013 through an online message board from a contact based in Malta whose profile was titled "Gambling," he said.
Months later, the contact offered him a new set of data for 7,600 euro ($10,200), he said.
"I bought lots of data for marketing but I did not hack anything," Ferguson said in the interview.
That’s when Ferguson popped up on Joe Saumarez Smith’s radar. Saumarez Smith, who runs a U.K. management consulting company that helps online gaming firms probe data breaches, said in a phone interview he came across Ferguson as he investigated the theft of another company’s data, and contacted him via LinkedIn.
Through Skype and e-mails, Ferguson told Saumarez Smith that he’d consulted for "major companies and individuals" in the brokering of gaming databases, according to documents Paddy Power filed in court in Canada as part of its civil case to retrieve the data.
The Paddy Power data was among a package of lists Ferguson was selling for his Maltese contact, according to court filings.
"This data is very, very good and a unique marketing opportunity as you can get immediately a ton of players and affiliates," Ferguson wrote in a May 6 e-mail to Saumarez Smith contained in the filings. "As you can see it’s very extensive and easily monetized."
"You get exclusive rights as he wants to foster repeat business and long-term relations with people," Ferguson wrote in a separate e-mail. "Once I pay him the cash, he delivers all links."
Ferguson wanted 7,600 euro for the files and sent Saumarez Smith a sample of the data, the documents show.
On May 6, Saumarez Smith sent an e-mail to Andrew Algeo, Paddy Power’s commercial director, according to the filings. The men had known each other for 11 years, and now Saumarez Smith was ready to turn over the data to his acquaintance.
"What’s happened to Paddy Power isn’t unusual," Saumarez Smith said in a phone interview on Aug. 7.
"What’s unusual is that Paddy Power have been so open about it."
A Paddy Power group of nine employees, known as the ISR Team, starting analyzing the sample, a process which took five days, according to the filings. Concluding it belonged to the company, Paddy Power sought two orders from the Ontario Superior Court.
"Paddy Power was unable to determine the exact nature of the role played by Ferguson in the theft of the stolen data," the company said in the filings.
"It remains possible that Ferguson was merely a middle man seeking a buyer for an unidentified contact and as such wasn’t actively involved in orchestrating the theft of the stolen data."
The first order allowed the company access to Ferguson’s bank account. The second allowed the company’s representatives to search his property, seize his digital devices, and delete the stolen data.
At about 5 p.m. on July 7, Paddy Power’s lawyers led the team to Ferguson’s home. He was interviewed in his backyard while experts combed through his electronic files, kept in his basement, according to court filings.
When the team came to his home, Ferguson said he told them just how fruitless their search was.
"I told them ‘make no mistake about it, it’s everywhere now,’" Ferguson said in the interview. "I mean, you’re talking about four years."
As Ferguson’s visitors carted his digital items out of his home in Brockville last month, he pleaded with them to cover the equipment in plastic bags, worried his neighbours would think he was caught up in a drug or child pornography bust.
Ferguson didn’t know how an alleged Malta-based online trader had obtained the information, he said in the interview with Bloomberg News.
Paddy Power declined to comment on whether it was pursuing this unidentified trader.
Ontario Provincial Police, which were contacted during the case, have completed their role and have not laid criminal charges against Ferguson, said Chrystal Jones, a police spokeswoman.
"There are no illegal acts being committed, according to the part we’ve been involved in so far," Jones said by phone August 6th.
"Client data protection laws aren’t always uniform," and companies are often left on the hook as a result, said Terri Mason, head of professional indemnity for Allianz Global corporate and specialty in Canada, a unit of Allianz SE, Europe’s biggest insurer. In Canada, it’s not as clear as in the US on whether or not it’s illegal to buy and sell private third-party data digitally, she said.
The stolen data didn’t include financial information, and would not have allowed access to customer accounts, Paddy Power said in court filings. After the seizure, Paddy Power braced for a firestorm back in Dublin. In a statement posted on its website on July 31, the company revealed the security breach for the first time publicly, and started alerting 649,000 customers affected.
While the data didn’t include account passwords or financial information, and would not have allowed access to customer accounts, the company apologized for one of the biggest data breaches in Irish corporate history.
The story became front-page news in Ireland, and the government criticized the company for waiting until this year to inform Ireland’s Data Protection Commissioner of the breach.
"I am very disappointed that it has taken until now for Paddy Power to inform its customers," Data Protection Minister Dara Murphy said in a statement.
"While it’s not mandatory to report such breaches, it is recommended best practice."
In its statement, the company said it learned of the full extent of the breach in recent months when it retrieved the compromised data. The company’s shares have dropped 1.2% since the July 31 statement.
Paddy Power joins some of the world’s biggest companies grappling with data breaches as attacks from cyber criminals seeking illicit gains from customers’ data increase.
Cyber crime and data breaches cost the global economy about $400 billion annually, and at least 800 million individual records were affected by cyber crime last year, according to a June report by McAfee Inc. and the Centre for Strategic and International Studies.
The average cost for a breach climbed 15% to $3.5 million as firms probed attacks and figured out a response, U.S. security research centre Ponemon Institute said in a May report sponsored by International Business Machines Corp.
The attacks have spanned industries. An intruder hacked into a Vodafone Group Plc server in September, gaining access to banking information and other details for 2 million customers of the world’s second-biggest mobile-phone carrier. EBay Inc., the online marketplace, asked users in May to change their passwords after a data breach.
The breach at Minneapolis-based Target prompted a wave of executive departures from the retailer.
For Ferguson, life goes on. For the past year, he has been taking online courses through a U.K.-based college for a certificate in hypnotherapy. His goal is to open a clinic in Ottawa to help children with autism.
About two weeks ago he went camping with his family, started a fire, and threw his hard drive -- with Paddy Power’s confidential data recently wiped clean -- into the flames, he said.
"I’m never having that happen again," he said. "I don’t want to be that guy. This isn’t the life that I want."