BET24.com responded to an e-mail inquiry I sent them about their recent breach disclosure. Their response did not actually answer all of my questions (no surprise there), but did confirm that they knew about the breach in December 2009. Here is there statement to DataBreaches.net:
Thanks for your mail about the security breach, a case which we take extremely seriously.
It wasn’t until very recently that we were informed by police authorities that they have arrested third party individuals who were in possession of unauthorised copies of personal customer information relating to various companies including BET24. In December 2009 we were told by our database manager that someone had made an illegal intrusion into the system, but they had copied no data.
We also implemented a thorough security review immediately after the intrusion in 2010, which included an audit by industry specialists and simulated hacker penetration tests, and we have further upgraded the security of our network. It is an ongoing process to monitor our systems and customer transactions constantly, and to upgrade our systems regularly.
In terms of notification, all potential affected clients were notified 25thof July 2011 in the afternoon. Furthermore we also display a security advice on our website.
We cannot disclose any actual numbers in regards how many customer that are potentially affected by the breach but we are sending emails to the group of customers that the stolen information relates to.
So it seems that the only individualized notifications are those whose names/details were found on the list by police, and if there’s another list somewhere or in other hands, those people would not be notified and have to hope they see the notice on BET24’s web site.
Wouldn’t this be one of those situations in which it might be prudent to notify everyone – even if it’s just by email for now?
The EU needs a mandatory data breach disclosure and notification law. So does the U.S. And if you keep this incident in mind when formulating what the elements of any such notification should include, isn’t it clear that consumers need to know when a breach occurred and how the entity found out about it? Don’t the details of this breach emphasize the importance of providing consumers with details so that they can gauge the risk? If you got a notice that said, “Look, we know there has been some fraud already and recently, some of data were found in the hands of criminals, but there might be more data out there that we do not yet know about,” wouldn’t you be more likely to check your statements and remain vigilant, etc.? I think so. And doesn’t this breach show that we might be better off safe than sorry when an entity knows there’s been an intrusion – even if they don’t/can’t find evidence that data were copied?
I don’t want to make BET24 seem like any poster child as there have been a lot of troubling breaches and breach decisions that I have covered over the past years. But I do think there’s a lesson to be learned from this breach when we think about strengthening consumer protections.
Did they make any claim as to why they “We cannot disclose any actual numbers”? Who is preventing them from doing so, and on what basis?
I printed their statement in its entirety. I doubt they’re really being prevented from releasing the total number affected or notified because if they were instructed not to, I’d expect them to say that. If that’s the situation, they’re welcome to add a comment to this post or email me a statement that I’ll add to this.