The incident was discovered as part of an investigation in Canada, after a third-party disclosed that an individual in Toronto had customer data from the company, which is based in Dublin. It subsequently obtained two court orders in the country to seize the IT assets from the man in order to wipe the data and examine his bank accounts.
Just shy of 650,000 customers were affected in total with 120,000 of these residing in Ireland. Only customers who signed up to the service in 2010 or prior have been affected.
“The historical dataset contained individual customer's name, username, address, email address, phone contact number, date of birth and prompted question and answer,” Paddy Power said in a statement.
“Customers' financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised.”
There is some surprise that Paddy Power only disclosed this event earlier today – some four years after the breach – especially as it reported that the company was aware of the incident at the time and had completed a security audit and updated its technology infrastructure.
The firm says that account monitoring had not detected any activity to indicate that accounts had been impacted, and added that it is now working with the Data Protection Commission and Irish police on the matter. It advises customers to “review other sites where they use the same prompted question and answer as a security measure and update where appropriate.”