PlayMillion - Data Breach in E-Mail

Had a e-mail come through from PlayMillion a short while ago which was in Polish with a MS Word attachment. After translating it to English I discover this was meant for someone else as it contained a gentleman's name, e-mail, telephone, address and credit card numbers who had deposited several large amounts earlier today.

I have played at PlayMillion but have not logged in or deposited for a while.

No response on their phone number or by e-mail yet.

Update:

--

Thank you for bring this to our attention.

Please accept our sincere apologies and note that this have been escalated to management.

Kind Regards,

Laura

Playmillion.co.uk Customer Support

Maybe I'm just paranoid, but that kind of thing wouldn't make me feel too safe with them having MY credit card and other personal info.

Nicola said:

Update:

--

Thank you for bring this to our attention.

Please accept our sincere apologies and note that this have been escalated to management.

Kind Regards,

Laura

Playmillion.co.uk Customer Support

Click to expand...

This is probably going to be a cover up. You would be better off informing the Information Commissioner's Office so that there is at least a record of this having happened. It may have happened to others, and at different times, but by isolating the cases and sending an apology and/or "please keep quiet" email there is little incentive for them to really get to the bottom of how this happened, and make the changes necessary to prevent it in future.

This is the result of not processing the other player's personal data in accordance with the rules. Lots of companies do it, and lots of companies brush the more minor issues under the carpet. They then get caught out when a long standing unpatched vulnerability is attacked by someone who REALLY knows what they are doing, and out pop several million data records.

If this site is UK licensed (which I doubt but maybe wrong) then just this ONE offence would get them seriously fined in all likelihood. Banks which do this i.e. leave sensitive info in bin-bags etc. start counting fines in the tens of thousands. I agree that this SHOULD be reported Nicola; there by the grace of God goes YOUR info.....

Final Update:

--

I am writing to you regarding the mistake made.

We hope that you accept our sincere apologies for this honest mistake which was clearly a human error.

This case is now under internal investigation and we can confirm that appropriate measures are being taken.

Thank you again for bringing this to our attention and we can assure you that this will never happen again.

If you have any further questions, do not hesitate to contact us.

Best regards,

Stefani

Playmillion.co.uk Customer Support Supervisor.

Nicola said:

Final Update:

--

I am writing to you regarding the mistake made.

We hope that you accept our sincere apologies for this honest mistake which was clearly a human error.

This case is now under internal investigation and we can confirm that appropriate measures are being taken.

Thank you again for bringing this to our attention and we can assure you that this will never happen again.

If you have any further questions, do not hesitate to contact us.

Best regards,

Stefani

Playmillion.co.uk Customer Support Supervisor.

Click to expand...

There's your "please don't grass to the ICO" email

The problem is, how can you alone police the "internal investigation" and measures taken to ensure it doesn't happen again?

This could even be a standard template email to brush the issue under the rug, and that the "investigation" and "measures" might be no more than a "don't let it happen again" slap on the wrist. This would do little to put systems in place to guard against a future "human error", and if they had been taking this seriously to start with, a system would ALREADY have been in place to catch this type of error before the email left their systems. A simple data check to validate the "to" field, the ticket number, and the account being dealt with should have spotted that the email address didn't match the account reference nor ticket.

When such a problem has happened in the past, it has been blamed on the incorrect use of a database which has caused data beyond a certain point to shift up or down a row, resulting in the values after the error all being associated with the player account above or below, rather than the correct one.

If this is "human error", it probably means that this database was manipulated manually, and an error was made in either adding or deleting a row, and this resulted in data shifting to where it shouldn't. There was then no software based integrity check when this data was used to process personal information, which in this case was emailing the answer to a query. Simply saying "be more careful when you edit that dataset in future" isn't going to make much difference as I expect the staff were already being as careful as they could within the time and pressure constraints of their task.