Sports betting exchange Betfair failed to notify customers of a massive credit card data theft 18 months ago, it has been revealed.
According to the Daily Telegraph, the company disclosed in an internal report that between 28 March 2010 and 9 April 2010, cyber criminals stole 3.15 million account usernames with encrypted security questions, 2.9 million usernames with one or more addresses and 89,744 account usernames with bank account details.
Customer accounts that existed at 1 February 2010 were affected, yet Betfair made no move to inform customers of the breach because it decided that there was "no risk to customers".
"Eighteen months ago we were subject to an attempted data theft. Because of our security measures the data was unusable for fraudulent activity and we were able to recover the data intact.
"At the time, we contacted all the relevant authorities and worked closely with them regarding this matter and it was established that there was no risk to customers," the company said in a statement.
The authorities that Betfair was forced to inform included the UK Serious Organised Crime Agency (SOCA), the German law enforcement agencies, and the Australian Federal Police. It also notified the Royal Bank of Scotland, which was responsible for accepting card payments made via Betfair.
The incident, described in an internal report called 'Project Brazil Progress Report', called into question Betfair's security monitoring systems, as it did not discover the breach for two months after the initial attack. Hackers breached the company's systems on 14 March 2010, but it was only a server crashing at a data centre in Malta that alerted the company to the attack.
According to the Daily Telegraph, a report on the crime by consultants Information Risk Management described Betfair's IT security as insufficient.
"Information security was not implemented in accordance with best practice.
"Appropriate information security governance is not in place within Betfair and as a consequence the business has been exposed to significant risks," the report stated.
Meanwhile, Betfair said that it has now implemented all of the recommendations from independent reports it commissioned into the crime, and that it has "done everything we can to minimise the risk of this happening again."
Earlier this year, Betfair launched a customer commitment charter setting out 14 promises to customers about the quality of its services, including technology.
One of the promises included ensuring the security of its site and customer data, and to protect customers' money by keeping it separate from the company's funds.
The company publishes a progress report against each of the commitments every three months, starting from 1 August.