Digital bookmaker Betfair has been forced to confess that personal details of around three million of its punters have been leaked in an attack which occurred a shocking eighteen months ago.
In a reported dubbed 'Project Brazil,' Betfair officials confirmed that usernames and security questions belonging to more than three million customers, usernames with addresses belonging to just shy of three million customers, and - most shockingly - nearly 90,000 usernames with bank account details have been accessed by attackers unknown.
While the intrusion has been reported to authorities, the company has yet to inform any of its affected customers - and waited over a year to make any information regarding the attack public.
According to a timeline on the Open Security Foundation's Data Loss DB, the intrusion took place on the 14th of March 2010 and was discovered by Betfair staff on the 20th of May that year. It wasn't until the 30th of September 2011 that Betfair chose to inform police, regulators, and banking authorities of the breach.
Betfair is one of the largest on-line betting services around, and shot to Internet fame when its poker-related corporate Twitter feed started posting irreverent - and often bizarre - stories which have little to do with the matter at hand. While the company is keen to be seen as engaging with the public in this way, its actions over the breach show a worrying lack of care for those who entrust it with their credit card details.
"Eighteen months ago we were subject to an attempted data theft," a Betfair spokesperson confirmed in a statement. "Because of our security measures, the data was unusable for fraudulent activity and we were able to recover the data intact. At the time, we contacted all the relevant authorities and worked closely with them regarding this matter and it was established that there was no risk to customers."