Bet24 security breach (email)

[security curmudgeon <jericho () attrition org>]

http://www.thegamblingtimes.com/board/player-support-gaming-site-feedback-general-complaints/9367-bet24-security-breach-email.html

Dear Customer,

We are writing to you as a current or former customer of BET24 because we 
have been informed by police authorities that they have arrested third 
party individuals who were in possession of unauthorised copies of 
personal customer information relating to various companies including 
BET24. The BET24 customer information was stolen from BET24 by means of 
illegal electronic access to our database, which is believed to have taken 
place in December 2009. We have no information to indicate any 
unauthorised access to our database or breach of our security systems 
since December 2009, and we have no reason to believe that accounts 
registered after 31 October 2009 are affected in any way.


FOR CUSTOMERS WITH ACCOUNTS REGISTERED AS AT 28 APRIL 2007, the stolen 
information comprises:

. a list of customer names, postal addresses, email addresses, dates of 
birth, BET24 account user names, BET24 account user ID numbers, BET24 
account passwords and BET24 account balances, and, in some cases, 
telephone numbers and IP addresses.
. a second separate list of BET24 account user ID numbers, Bet24 account 
balances and parameters, customer payment card expiry dates, encrypted 
customer payment card numbers and encoded customer payment card types.

The encrypted payment card information has NOT to our knowledge been 
decrypted, and review by internet security specialists confirms that the 
level of encryption is very high. In addition, NO payment card security 
codes are stored on the BET24 database. The stolen information is so far 
known to have been used to access a limited number of customers. BET24 
accounts, third party accounts and personal email accounts. A small number 
of customers have alerted us to unauthorised activity on their BET24 
accounts and we have fully reimbursed them for any financial loss incurred 
on their accounts. At the bottom of this letter, you will find the 
security advice and action points that we recommend you to follow 
immediately.


FOR CUSTOMERS WITH ACCOUNTS REGISTERED BETWEEN 28 APRIL 2007 & 31 OCTOBER 
2009, the stolen information is more limited and comprises:

. a list of BET24 account user ID numbers, Bet24 account balances and 
parameters, customer payment card expiry dates, encrypted customer payment 
card numbers and encoded customer payment card types.

This stolen information does NOT include any personal details or passwords 
and is NOT therefore sufficient to enable access to accounts. Furthermore, 
we are not aware of any instances of illegal access to these accounts. The 
encrypted payment card information has NOT to our knowledge been 
decrypted, and review by internet security specialists confirms that the 
level of encryption is very high. In addition, NO payment card security 
codes are stored on the BET24 database. At the bottom of this letter, you 
will find the general security advice that we advise all BET24 customers 
to follow.

We are working closely with the police authorities to establish how the 
information was stolen, how it has been used, and which customers are 
affected.

We implemented a thorough security review in 2010, which included an audit 
by industry specialists and simulated hacker penetration tests, and we 
have further upgraded the security of our network. The BET24 passwords for 
all customers who had registered accounts as at 28 April 2007 were reset 
during 2010. We continue to monitor our systems and customer transactions 
constantly, and to upgrade our systems regularly.

Our customers are our number one priority and the security of your 
personal information is of paramount importance to us. Please contact our 
customer service support team by email at support () bet24 com if you have 
any questions relating to the above.

Yours sincerely,
Thomas Petersen, Chief Executive Officer


-----------------------------------------------------------------------------------------------------------------------------------------


RECOMMENDED SECURITY ACTION POINTS


FOR CUSTOMERS WITH ACCOUNTS REGISTERED AS AT 28 APRIL 2007:

- If you have ever used your BET24 password for your email account, then 
please immediately change your email account password and then change all 
passwords that you use for any other accounts including your BET24 
account.
- If you have not used your BET24 password for your email account but have 
used it for any other services or accounts, please immediately change the 
passwords for such services or accounts.
- If you believe that your BET24 account has been compromised in any way, 
please contact us immediately by email at support () bet24 com.
- Please remain vigilant and regularly review your bank account and 
payment card statements.
- Please ensure that any requests for personal data or resetting of access 
codes and passwords that you have previously received, or receive in 
future, via email, phone and post are from trustworthy parties and in 
accordance with the terms and conditions of the service or account 
provider to which they relate.


FOR CUSTOMERS WITH ACCOUNTS REGISTERED BETWEEN 28 APRIL 2007 & 31 OCTOBER 
2009:

- If you believe that your BET24 account has been compromised in any way, 
please contact us immediately by email at support () bet24 com.
- Please avoid using the same passwords for different services or accounts 
and please immediately reset any such passwords to be different for each 
service and account.
- Please regularly review your bank account and payment card statements.
- Please ensure that any requests for personal data or resetting of access 
codes and passwords that you receive via email, phone and post are from 
trustworthy parties and in accordance with the terms and conditions of the 
service or account provider to which they relate.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/