Customer data leaked
Customers of Flutter-owned operators Paddy Power and Betfair have had their personal information compromised in a major data breach, the operators have announced.
Many accounts for the two sites received emails on Tuesday morning informing them that their personal details may have been leaked after the sites were compromised in what is believed to be a major cyberattack.
No passwords, payment details or personal identification documents were compromised
A statement from Flutter clarified that no passwords, payment details or personal identification documents were compromised, but usernames, contact information, and home addresses could all have been leaked.
Incident contained
Speaking to the Racing Post, Flutter said: “We can confirm that our Paddy Power and Betfair businesses have suffered a data incident involving personal information for some of our customers.”
Flutter also confirmed that they had reported the matter to the authorities and regulators, with the Racing Post confirming that the UK Gambling Commission and the Information Commissioner’s Office had been informed about the attack.
The unauthorised access has been removed and the incident contained.”
“Immediately upon becoming aware of this incident, we informed relevant regulators and authorities and initiated a full investigation, supported by external IT security experts, to understand what happened and how we can better protect our networks and customers,” the statement continued. “The unauthorised access has been removed and the incident contained.”
“Our investigation concluded that the affected information was isolated to limited betting account information. No passwords, ID documents or usable card or payment details were impacted. We are informing all affected customers. Safeguarding and securing our customers’ information is of the utmost importance to us.”
Ransomware attacks growing
There are no further details on whether the attack was intended as ransomware or purely to use customer details for potential identity theft.
June 2025 has already seen a spate of cyberattacks across a wide variety of major industries and public bodies in the US and UK, but gambling sites have long been a lucrative target for hackers.
Earlier this year, one of Paddy Power’s live casino partners, Stakelogic, had the email account of CEO Stephan van den Oetelaar compromised, leading to several businesses being sent emails from the hacked address.
Even land-based operators have come under attack this year, with Kewadin Casinos, which operates establishments in Michigan, subjected to a ransomware attack in February which affected several properties.
That was then followed by another hack on a tribal casino, the Jackpot Junction Casino and Hotel in Minnesota, which was forced to suspend all operations in April after a ransomware attack locked down many of their systems.
