Several major sports betting sites have been battling issues with data breaches recently, right in the thick of their busy season for football wagering.
BetMGM disclosed on Wednesday that it had learned certain customer records “were obtained in an unauthorized manner,” according to a press release.
“The issue affected personal information of some patrons such as name, contact information (such as postal address, email address and telephone number), date of birth, hashed Social Security number, account identifiers (such as player ID and screen name) and information related to transactions with BetMGM,” the bookmaker said. “The affected information varied by patron.”
A serious affair
BetMGM added that it promptly investigated after learning in late November of the issue, which the company believes occurred in May. The operator said it has no evidence passwords or account funds were accessed in connection with the matter and that its online operations were not compromised.
In the meantime, BetMGM said it is working with law enforcement and recommending users stay vigilant about any strange activity. The company also said it has “arranged to offer affected patrons credit monitoring and identity restoration services” for two years for free.
"We are taking this matter very seriously and are working quickly to investigate it,” Adam Greenblatt, CEO of BetMGM, said in a press release. “The security of our platform and our patrons' data is a top priority for BetMGM. We regret any inconvenience this may cause.”
The news from BetMGM comes on the heels of data-breach issues disclosed by two of its biggest rivals in the legal sports betting industry. They may not be the last such issues the industry experiences either, as its expansion provides more accounts and customers for bad actors to target.
Furthermore, the recent data issues are being reported right in the thick of football season, which is a busy time for bookmakers. It also comes ahead of the upcoming launch of legal sports betting in Ohio, which will be a major market for operators.
Put on notice
DraftKings, notably, recently reported that nearly 68,000 customers were affected by a data breach, according to the office of Maine's Attorney General. The company said the "credential stuffing attacks" started on November 18, which is when they were discovered as well.
“‘Credential stuffing attacks’ are a specific type of cybersecurity attack in which bad actors use login credentials (e.g., email addresses/usernames and passwords) obtained from a third-party source to gain access to user accounts,” DraftKings said in its notice to Maine customers. “Credential stuffing attacks often occur when individuals use the same login credentials on multiple websites, which is why we encourage you to use a unique password for your DraftKings account.”
DraftKings added in the notice that there was no evidence attackers had accessed Social Security numbers, driver's license numbers, or financial account numbers and that it was taking steps to address the incidents, such as by requiring customers to reset their passwords.
The Boston-based bookmaker said it has notified law enforcement of the matter. The company also said in a statement to Covers that it provided formal notice of the attacks to certain customers in states where they were required to do so.
“DraftKings has restored amounts for all users whom we have determined had funds improperly withdrawn from their accounts,” the statement said. “Our investigation to date has uncovered no evidence that user login credentials were obtained from DraftKings.”
Earlier today, FanDuel’s Sportsbook & Casino app experienced a technical incident in Canada caused by an IT change by a third-party provider. The incident impacted only customers logged in and active for a short period at approximately 12:00pm EDT today. (1/3)
— FanDuel Canada (@FanDuelCanada) September 8, 2022
FanDuel was reportedly targeted by the attack as well, but the operator has not disclosed the number of accounts that might have been affected.
Still, FanDuel also ran into issues earlier in the year in Canada, where the operator reported its sports betting and casino app "experienced a technical incident" caused by a technology change by a third-party vendor.
During that time, some customers could have had access to other customers' account information. When this was discovered, FanDuel said, it shut down the platform and froze affected accounts while it resolved the issue.
A technical incident was reported to the AGCO by @FanDuelCanada as required by Ontario's igaming standards. The AGCO is engaged with @FanDuelCanada to ensure necessary regulatory steps are taken, and will be conducting a full regulatory review. https://t.co/h2bV74fXTQ pic.twitter.com/dAo7bm44Gk
— AGCO (@Ont_AGCO) September 9, 2022
The incident attracted the attention of the regulator for sports betting in Ontario. The Alcohol and Gaming Commission of Ontario said in September it would be "conducting a full regulatory review" of the matter.
Operators are aware that they and their customers could face an increasing number of cyberattacks and are preparing accordingly. For example, FanDuel's parent company, Flutter Entertainment PLC, noted in its interim financial results in August that "cyber resilience and protection of data" was a key risk it needs to manage.
“We are dependent on technology to support our products, business activities and customer operations,” Flutter said in its results. “Cyber maturity and capabilities across our expanding Group vary and may increase the number of potential attack vectors or internal threats, which could lead to financial loss, data breaches, regulatory action and reputational damage.”
To mitigate that risk, Flutter said it invests "significantly" in its cybersecurity capabilities and works with external security specialists to meet the evolving threats.
“Flutter cyber assurance framework has been established, with risk assessments ongoing to provide assurance that security controls implemented protect against key risk topics,” the document added.