- Several online casinos that utilized a particular ElasticSearch database had their users' data open to access.
- The information that leaked includes real names, winnings, home addresses, and more.
- The mother company claims that no real damage was done and that no data was actually leaked out.
As first reported by Justin Paine, the Director of Safety at Cloudflare, a group of online casinos owned by Mountberg Limited left an ElasticSearch database open, leaking out the user details associated with 108 million bets. As highlighted by Paine, these incidents are so common now, he is not even going to write it up. According to ZDNet, the players that need to worry are those who use the platforms of easybet.com, azur-casino.com, kahunacasino.com, and viproomcasino.net, although it is certain that more online casinos were affected by the particular leak.
Another day, another data leak.
108,025,616 bets from a variety of online casinos.
-- first name/last name
-- billing address
-- partial credit card
-- how much the bet was for
-- email address
Not even going to write this one up. Just notifying the host.
— Justin (@xxdesmus) January 19, 2019
The information that found its way out includes the real names of the players, their home addresses, their emails, phone numbers, usernames, account balance, birth dates, IP addresses, and the browser and OS details. Even data such as when the user performed the last login, which games they played during their previous active session, what withdrawals or deposits they have done, and what their current bets are were leaked. Naturally, payment card data is related to this data, but only partial information of the user’s full payment method details was exposed. The fact remains though, that people who have this information in their hands can pinpoint to those who recently won large amounts of money and where they live.
No one knows for sure the exact time period during which the particular server was left vulnerable, so the actual extent of the damage remains uncertain. The problematic server that was hosted by OVH has now gone offline, but the customers that were affected by its leak have not been identified and notified by the casino company yet. Obviously, a lot of them have not realized what happened, and when they are informed of the fact that such sensitive information was left unguarded, it will have a massive impact on their trust towards their favorite betting platform.
This signifies the urgent need to establish strong cybersecurity and data privacy policies by companies who store and manage such critical customer data, and online casinos should invest more on this field if they want their business to keep on delivering strong profit figures. With the number of attacks that are going on each day against all those online entities, companies must establish stronger data security systems that no longer rely on a small team of people, but on AI and proactive risk mitigation instead.
The official response from Mountberg Limited to ZDNet is reassuring, claiming that Justin Paine was the first to discover this, allowing them to act in time before a malicious party took advantage of this. Moreover, they add that: “The identification of this issue has allowed our company reassess the nature of our security protocols and procedures and we feel that in the long term having this occur will only strengthen our defenses against such instances in the future.”