John Leyden reports:
BET24.com warned customers on Monday that their personal data may have been exposed by a breach that took place in December 2009.
The gambling site is only warning clients 19 months after the breach, although it said it had taken other measures, including resetting passwords, at the time of the breach. The warning follows the arrest of a suspect found in “possession of unauthorised copies of personal customer information relating to various companies including BET24”.
Data stolen from BET24 included customer names, addresses, email addresses, user account IDs, account passwords and encrypted payment card numbers. BET24 admitted that the stolen data had been used in instances of fraud on its site, at least, adding that victims had been reimbursed.
Read more on The Register.
BET24.com issued a statement yesterday on their web site, linked from the home page.
Although suggested by their statement and by others, it’s not absolutely clear from their statement when they were first alerted to the possibility that they had been hacked, when they first investigated any reports of possible compromise (was it January 2010 or later in the year?), and when they confirmed that they were hacked.
Did they know definitively in December 2009 or January 2010 they had been breached but kept quiet until the police recently found lists with customer data? And how many other customers experienced fraud since December 2009 but never thought to notify BET24 or connect the fraud to that breach?
What did BET24.com know and when did they first know it? BET24 did not respond to inquiries sent by the time of this publication, but given the time difference, that’s a bit understandable for now.