\nKatia Dmitrieva and Donal Griffin, Bloomberg <\/p>\n
\t(Bloomberg) \u2014 Jason Ferguson said the job was straightforward: buy a gambling company\u2019s client data and flip it to a rival who could use the information to win new customers.<\/p>\n
\tInstead, the story ended last month with a fleet of cars arriving outside his home in a cul-de-sac in a suburb of Brockville, a town three-and-a-half hours drive northeast of Toronto. The convoy included forensics experts and representatives of Paddy Power Plc, the operator of the largest online sports book in the U.K. and Ireland.<\/p>\n
\tAfter Ferguson was shown court orders, the 40-year-old led the team to his basement, where they seized a hard drive and other equipment containing the names, contact details, addresses, dates of birth, and secret questions and answers for more than 600,000 Paddy Power clients that they later wiped clean.<\/p>\n
\t\u201cShould I have had the data?\u201d Ferguson, a tattoo of a hand fanning out four aces on his right forearm, said in an interview with Bloomberg News at the only Starbucks in town over a chai latte. \u201cIs it ethical? To my knowledge, there\u2019s no precedent. I thought I was acting within the realm of legality.\u201d<\/p>\n
\tCanadian police agreed, with no charges being laid against Ferguson, who was flagged to Paddy Power by a London gaming consultant posing as a potential buyer. Yet the tale of how a Dublin-based company\u2019s stolen data ended up in an Ontario basement 3,100 miles away, via a detour to the Mediterranean island of Malta, illustrates the challenges facing companies and institutions across the globe, ranging from Target Corp. to the European Central Bank, grappling with personal-data breaches.<\/p>\n
\tMega Breaches<\/p>\n
\t\u201cMany countries have anti-hacking or data privacy laws that criminalize the theft of personal data, but there is no harmonized position on buying and selling data that has been stolen,\u201d said Richard Jones, director of data privacy at Clifford Chance LLP in London. \u201cEven in a strict regime it may not be possible to prosecute someone who didn\u2019t know, or claims not to have known, that the data they were buying was stolen.\u201d<\/p>\n
\tEight \u201cmega breaches\u201d last year exposed more than 10 million identities each, compared with one in 2012, according to Mountain View, California-based Symantec Corp., the biggest maker of anti-virus tools. Last month, hackers broke into a database belonging to the ECB and attempted to use the information to extort cash from the institution. Hackers last year stole 40 million credit- and debit-card details along with 70 million addresses, phone numbers and other information from Target, the second-biggest U.S. discount retailer.<\/p>\n
\tBumble B<\/p>\n
\tFor Paddy Power, the story began with a cyber attack in late 2010, according to a company statement on July 31 and court filings. Paddy Power said it detected \u201cmalicious activity\u201d in an attempt to breach its security system, overseen by Paddy Power\u2019s Chief Executive Officer Patrick Kennedy, 45, as he sought to win a share of surging online betting.<\/p>\n
\tNow one of Ireland\u2019s biggest publicly traded companies, Paddy Power has more than 1.9 million online customers. Through an outside spokesman, the company declined to comment beyond its statement last month, which apologized for the breach.<\/p>\n
\tAs Kennedy was building the business, Ferguson was dealing with the failure of his Bumble B Boutique, a children\u2019s clothing consignment store which closed after seven months in a center of a town he described as \u201cdying.\u201d Born and raised in Brockville, he said he had three kids from his first marriage to support.<\/p>\n
\tDressed in a black t-shirt, cargo shorts and a blue bandanna, with sunglasses perched on his head, he said he\u2019s been making money from online gambling, arbitrage betting, and working as an \u201caffiliate\u201d for almost half his life. Affiliates essentially refer potential clients to betting companies.<\/p>\n
\tOn Radar<\/p>\n
\tFerguson bought the Paddy Power data in December 2013 through an online message board from a contact based in Malta whose profile was titled \u201cGambling,\u201d he said. Months later, the contact offered him a new set of data for 7,600 euros ($10,200), he said.<\/p>\n
\t\u201cI bought lots of data for marketing but I did not hack anything,\u201d Ferguson said in the interview.<\/p>\n
\tThat\u2019s when Ferguson popped up on Joe Saumarez Smith\u2019s radar. Saumarez Smith, who runs a U.K. management consulting company that helps online gaming firms probe data breaches, said in a phone interview he came across across Ferguson as he investigated the theft of a another company\u2019s data, and contacted him via LinkedIn.<\/p>\n
\t\u2018Exclusive Rights\u2019<\/p>\n
\tThrough Skype and e-mails, Ferguson told Saumarez Smith that he\u2019d consulted for \u201cmajor companies and individuals\u201d in the brokering of gaming databases, according to documents Paddy Power filed in court in Canada as part of its civil case to retrieve the data.<\/p>\n
\tThe Paddy Power data was among a package of lists Ferguson was selling for his Maltese contact, according to court filings.<\/p>\n
\t\u201cThis data is very very good and a unique marketing opportunity as you can get immediately a ton of players and affiliates,\u201d Ferguson wrote in a May 6 e-mail to Saumarez Smith contained in the filings. \u201cAs you can see it\u2019s VERY extensive and easily monetized.\u201d<\/p>\n
\t\u201cYou get exclusive rights as he wants to foster repeat business and long-term relations with people,\u201d Ferguson wrote in a separate e-mail. \u201cOnce I pay him the cash, he delivers all links.\u201d<\/p>\n
\tFerguson wanted 7,600 euros for the files and sent Saumarez Smith a sample of the data, the documents show.<\/p>\n
\tNot Unusual<\/p>\n
\tOn May 6, Saumarez Smith sent an e-mail to Andrew Algeo, Paddy Power\u2019s commercial director, according to the filings. The men had known each other for 11 years, and now Saumarez Smith was ready to turn over the data to his acquaintance.<\/p>\n
\t\u201cWhat\u2019s happened to Paddy Power isn\u2019t unusual,\u201d Saumarez Smith said in a phone interview on Aug. 7. \u201cWhat\u2019s unusual is that Paddy Power have been so open about it.\u201d<\/p>\n
\tA Paddy Power group of nine employees, known as the ISR Team, starting analyzing the sample, a process which took five days, according to the filings. Concluding it belonged to the company, Paddy Power sought two orders from the Ontario Superior Court.<\/p>\n
\t\u201cPaddy Power was unable to determine the exact nature of the role played by Ferguson in the theft of the stolen data,\u201d the company said in the filings. \u201cIt remains possible that Ferguson was merely a middle man seeking a buyer for an unidentified contact and as such wasn\u2019t actively involved in orchestrating the theft of the stolen data.\u201d<\/p>\n
\tFiles Combed<\/p>\n
\tThe first order allowed the company access to Ferguson\u2019s bank account. The second allowed the company\u2019s representatives to search his property, seize his digital devices, and delete the stolen data.<\/p>\n
\tAt about 5 p.m. on July 7, Paddy Power\u2019s lawyers led the team to Ferguson\u2019s home. He was interviewed in his backyard while experts combed through his electronic files, kept in his basement, according to court filings.<\/p>\n
\tWhen the team came to his home, Ferguson said he told them just how fruitless their search was.<\/p>\n
\t\u201cI told them \u2018make no mistake about it, it\u2019s everywhere now,\u2019\u201d Ferguson said in the interview. \u201cI mean, you\u2019re talking about four years.\u201d<\/p>\n
\tAs Ferguson\u2019s visitors carted his digital items out of his home in Brockville last month, he pleaded with them to cover the equipment in plastic bags, worried his neighbors would think he was caught up in a drug or child pornography bust.<\/p>\n
\tBreach Revealed<\/p>\n
\tFerguson didn\u2019t know how an alleged Malta-based online trader had obtained the information, he said in the interview with Bloomberg News. Paddy Power declined to comment on whether it was pursuing this unidentified trader.<\/p>\n
\tOntario Provincial Police, which were contacted during the case, have completed their role and have not laid criminal charges against Ferguson, said Chrystal Jones, a police spokeswoman.<\/p>\n
\t\u201cThere are no illegal acts being committed, according to the part we\u2019ve been involved in so far,\u201d Jones said by phone Aug. 6.<\/p>\n
\t\u201cClient data protection laws aren\u2019t always uniform,\u201d and companies are often left on the hook as a result, said Terri Mason, head of professional indemnity for Allianz Global corporate and specialty in Canada, a unit of Allianz SE, Europe\u2019s biggest insurer. In Canada, it\u2019s not as clear as in the U.S. on whether or not it\u2019s illegal to buy and sell private third-party data digitally, she said.<\/p>\n
\t\u2018Very Disappointed\u2019<\/p>\n
\tThe stolen data didn\u2019t include financial information, and would not have allowed access to customer accounts, Paddy Power said in court filings.<\/p>\n
\tAfter the seizure, Paddy Power braced for a firestorm back in Dublin. In a statement posted on its website on July 31, the company revealed the security breach for the first time publicly, and started alerting 649,000 customers affected.<\/p>\n
\tWhile the data didn\u2019t include account passwords or financial information, and would not have allowed access to customer accounts, the company apologized for one of the biggest data breaches in Irish corporate history.<\/p>\n
\tThe story became front-page news in Ireland, and the government criticized the company for waiting until this year to inform Ireland\u2019s Data Protection Commissioner of the breach.<\/p>\n
\t\u201cI am very disappointed that it has taken until now for Paddy Power to inform its customers,\u201d Data Protection Minister Dara Murphy said in a statement. \u201cWhile it\u2019s not mandatory to report such breaches, it is recommended best practice.\u201d<\/p>\n
\tRising Toll<\/p>\n
\tIn its statement, the company said it learned of the full extent of the breach in recent months when it retrieved the compromised data. The company\u2019s shares have dropped 1.2 percent since the July 31 statement.<\/p>\n
\tPaddy Power joins some of the world\u2019s biggest companies grappling with data breaches as attacks from cyber criminals seeking illicit gains from customers\u2019 data increase. Cyber crime and data breaches cost the global economy about $400 billion annually, and at least 800 million individual records were affected by cyber crime last year, according to a June report by McAfee Inc. and the Center for Strategic and International Studies.<\/p>\n
\tThe average cost for a breach climbed 15 percent to $3.5 million as firms probed attacks and figured out a response, U.S. security research center Ponemon Institute said in a May report sponsored by International Business Machines Corp.<\/p>\n
\tThe attacks have spanned industries. An intruder hacked into a Vodafone Group Plc server in September, gaining access to banking information and other details for 2 million customers of the world\u2019s second-biggest mobile-phone carrier. EBay Inc., the online marketplace, asked users in May to change their passwords after a data breach.<\/p>\n
\tMoving On<\/p>\n
\tThe breach at Minneapolis-based Target prompted a wave of executive departures from the retailer.<\/p>\n
\tFor Ferguson, life goes on. For the past year, he has been taking online courses through a U.K.-based college for a certificate in hypnotherapy. His goal is to open a clinic in Ottawa to help children with autism.<\/p>\n
\tAbout two weeks ago he went camping with his family, started a fire, and threw his hard drive \u2014 with Paddy Power\u2019s confidential data recently wiped clean \u2014 into the flames, he said.<\/p>\n
\t\u201cI\u2019m never having that happen again,\u201d he said. \u201cI don\u2019t want to be that guy. This isn\u2019t the life that I want.\u201d<\/p>\n
No replies were posted for this topic.<\/p>\n","protected":false},"excerpt":{"rendered":"
Katia Dmitrieva and Donal Griffin, Bloomberg (Bloomberg) \u2014 Jason Ferguson said the job was straightforward: buy a gambling company\u2019s client data and flip it to a rival who could use the information to win new customers. Instead, the story ended…<\/p>\n","protected":false},"author":36,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-7819","post","type-post","status-publish","format-standard","hentry","category-latest-casino-news"],"_links":{"self":[{"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/posts\/7819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/comments?post=7819"}],"version-history":[{"count":0,"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/posts\/7819\/revisions"}],"wp:attachment":[{"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/media?parent=7819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/categories?post=7819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forumarchives.tmsites.net\/index.php\/wp-json\/wp\/v2\/tags?post=7819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}