Malta ‘hacker’ sold details of 650,000 online betting customers

Canadian man says he purchased database of 650,000 Paddy Power customers from unnamed online seller in Malta

A Malta seller was said to have sold on a database containing 650,000 records of customers for PaddyPower.com
A Malta seller was said to have sold on a database containing 650,000 records of customers for PaddyPower.com

An unnamed online seller in Malta is being described as the source of hacked online details of 650,000 online betting customers.

Canadian man Jason Ferguson, tried to sell on the hacked details of the Paddy Power customers for €7,600, but is not being prosecuted for holding the confidential customer information, after claiming he purchased the data from an unnamed online seller in Malta in December last year.

The hacked customer information includes the names, emails, addresses and dates of birth of 120,000 Irish Paddy Power customers and 650,000 customers overall.

Two weeks ago, Paddy Power revealed the extent of the data breach, which occurred in 2010. The hacked data did not include any financial information or passwords.

Ferguson said that he purchased the data lawfully. “I bought lots of data for marketing but I did not hack anything,” he told Bloomberg.

He attempted to resell the hacked information as a “database broker”, according to Paddy Power, which launched a legal case in Canada for the retrieval of the hacked data.

It was discovered by a UK data breach specialist who was searching for black market peddling of stolen databases.

Ferguson wanted €7,600 for the files and sent the specialist a sample of the data, the documents show.

The Paddy Power data was among a package of lists Ferguson was selling for his Maltese contact, according to the court filings.

“I thought I was acting within the realm of legality,” Ferguson told Bloomberg. “Is it ethical? Should I have had the data? To my knowledge, there’s no precedent.”

Paddy Power secured two Canadian court orders early last month to enable computer equipment belonging to Ferguson to be seized and searched, as well as his bank accounts.

Ferguson was shown the court orders and had his hard drive and other equipment containing the names, contact details, addresses, dates of birth, and secret questions and answers for 650,000 Paddy Power clients, seized. They were later wiped clean.

No customers who signed up to Paddy Power online after 2010 are impacted by the breach. It does not include personal financial information.