Up to 800,000 Betfair and Paddy Power customers hit by data breach

Third party gained access to ‘limited betting account information’ including IP and email addresses

The company said it believes 'the unauthorised access has been removed and the incident contained'.  Photograph: Paddy Power Betfair/PA Wire
The company said it believes 'the unauthorised access has been removed and the incident contained'. Photograph: Paddy Power Betfair/PA Wire

Irish customers of Betfair and Paddy Power have been notified in recent days of a data breach at the Flutter-owned brands, which has impacted as many as 800,000 users in Ireland and Britain.

The betting sites “recently detected that an unauthorised third party” gained access to “limited betting account information” relating to some of its customers, the company said in an email to customers.

Paddy Power and Betfair are owned by Dublin-based Flutter Entertainment, which had 4.2 million average monthly users across its four betting brands in Ireland and Britain, generating $3.6 billion (€3.07 billion) in revenue, according to its annual report. It is the world’s biggest publicly listed betting company, with a market capitalisation of $50.6 billion.

A spokesman for Flutter UK and Ireland confirmed their Paddy Power and Betfair businesses suffered a “data incident involving personal information for some of our customers”.

The company said a “full investigation” was carried out to contain the breach and to determine the scope of the information accessed. Supported by external IT security experts, it said it would examine the cause of the breach and how the company can increase the security of its network and customer data.

The company said it believes “the unauthorised access has been removed and the incident contained” and that the investigation concluded that the “affected information was isolated to limited betting account information”.

Up to 800,000 users in Ireland and the UK were impacted by the breach, which included usernames, email addresses and IP addresses. There was also a limited number of incidents in which limited address details were accessible.

An email to Betfair customers said the breach impacted “details of some recent activity on your account and technical data like your device ID and IP address”.

“No passwords, ID documents or usable card or payment details were impacted,” the Flutter spokesman said.

The sites have appealed to customers to be aware of phishing efforts as a result of the breach.

It is understood that the breach, which affected nearly one in five monthly customers, was detected within the last four weeks. The company has notified the Data Protection Commission (DPC) in Ireland and the UK’s Information Commissioner’s Office.

“The nature of this incident means that regrettably some of your personal information has been impacted,” the firm said in an email to customers.

The DPC was approached for comment.

Flutter was recently expected to cut more than 200 jobs in Ireland and Britain, as part of a wider strategy to bring its brands on to a single tech platform. The company did not confirm where the redundancies will impact, saying at the time that it was in consultation with staff.

The majority of the roles at risk are understood to be at Flutter’s technology and product team, and almost all the cuts will fall at the Leeds operation. That leaves a handful of redundancies – expected to be less than 10 – affecting its Dublin office.

  • Join The Irish Times on WhatsApp and stay up to date

  • Sign up to the Business Today newsletter for the latest new and commentary in your inbox

  • Listen to Inside Business podcast for a look at business and economics from an Irish perspective