International sports betting behemoth BetVictor finds itself in the hot seat today after it was revealed the bookmaker left sensitive information exposed to the public via the customer support search function.
Being hacked would be bad enough on its own, but it appears BetVictor left the door wide open for anyone to find confidential information, administrative usernames and passwords just by entering search terms into the publicly-accessible customer support search tool.
In a blog post published on Medium this morning, Chris Hogben explains how he found what appears to be internal documents. Among those documents are one containing admin usernames and passwords for a variety of internal and external platforms.
His method of entry sounds accidental in nature as he explains how, while searching for assistance with an actual support issue, he opened BetVictor’s customer support menu. He didn’t find the answer he was looking for there, so used the search function to see what he could find.
His first search yielded some interesting results, including what appeared to be internal policies directed at employees. This prompted Hogben to enter a search for “admin,” where he found a document titled “Logins/Links to Back Offices – Internal.”
Hogben reports finding usernames and passwords for “trading platforms, support ticketing systems both internal and those between BetVictor and their gaming platforms, as well as an entry for “Experian” – an identity verification service.” He also found weak passwords and passwords that appear in the Have I Been Pwned passwords list.
Have BetVictor Customers Been Affected or Exposed?
It is unknown at this point if customer-specific information was put at risk or if it fell into the hands of bad actors. BetVictor has yet to release a press release or offer additional details regarding the security lapse.
Chris Hogben reports he did not test any of the usernames or passwords for fear of breaking hacking laws. Thus, the full extent of what may have been exposed remains unknown at this time. It is possible, Hogben explains, that sensitive company information as well as customer-specific information may have been exposed in the inadvertent leak.
For instance, the login entry for Experience may well have granted someone with bad intentions access to confidential customer information and uploaded identity verification documents. Hogben also notes that he did not run an exhaustive search for other confidential documents – and it is therefore possible even more information than what he found was left exposed to the world.
Hogben sent a follow-up e-mail to BetVictor asking if any user information had been put at risk, but as of this post, BetVictor has only responded to say it cannot comment until it has completed an investigation of the matter.
Bad Timing for BetVictor
The timing for the discovery of this security lapse could not be worse for BetVictor. Just last month, the UK Gambling Commission published a notice stating that new customer data legislation is now in force.
The law, called the General Data Protection Regulation (GDPR), took effect on 25 May, 2018. As the Gambling Commission notes, the GDPR “creates an onus on companies to understand the risks that they create for others, and to ensure they are mitigating those risks.”
BetVictor will need to act quickly to get a handle on this situation, inform customers of any potential data breaches and implement new policies if it hopes to avoid a serious sanction from the UKGC or other regulatory agencies.
The Information Commissioner’s Office (ICO) maintains is responsible for regulating the GDPR, but the UKGC has also shown plenty of willingness to make examples of bookmakers that it believes have failed to protect the interests of their customers.