Last week, an online casino group based in Cyprus and Curacao left information on 108 million bets exposed on their server.
This included personal details such as names and addresses, as well as information about players' betting history, deposits and withdrawals. Payment details were also exposed, although these were ‘partially redacted'.
It is still unclear as to how long the details were publicly available, as the exposed server was found by a security researcher rather than any of the casinos themselves.
The server has now been taken down and so the details are no longer public, however, it's too late to ensure that any data hasn't fallen into the wrong hands.
Online Casino Security Breach – The Key Details
This security failure comes at a time where players are more concerned than ever before about their data security, and so it's definitely worrying.
The good news is that whilst this is a serious mistake, there are plenty of measures you can take to keep yourself safe when gaming online.
Read on to find out how such a huge security breach occurred, who was affected, and how you can prevent this happening to you.
- Domains affected by the breach include Kahunacasino.com, Azur-casino.com, Easybet.com, and Viproomcasino.net.
- Each affected domain was operating under the same license number, issued by the Curacao government, which suggests they are all owned by the same company.
- Both Kahunacasino.com and Viproomcasino.net are owned by Mountberg Ltd, who are based in Cyprus.
- A spokesperson for Mountberg Ltd told the press that they took ‘prompt action to secure [their] client's information, avoiding any data spread'.
What Information was Exposed?
The exposed server showed 108 million online casino account records which included:
- Betting History Information – current bets, wins, account balances, deposits and withdrawals,
- Casino Activity Information – IP addresses, time and date of the last log-in, usernames, browser and operating system details, games played.
- Personal Details – Names, physical addresses, email addresses, phone numbers, dates of birth.
- Payment Details – payment card details were also available, though in a ‘partially redacted' form. This means that the users' full financial details were not at risk.
How Did the Security Breach Happen?
In this instance, the data was leaked from an ElasticSearch server, which was left online without a password. ElasticSearch is a high-grade search engine, which is used by companies to improve their websites data indexing and search capabilities.
These servers are normally installed on internal networks, which keeps the data they hold offline and away from prying eyes.
Despite only one server being exposed, the ElasticSearch server handled a huge amount of information pulled from multiple web domains. It's likely that this was due to an affiliate scheme, or due to the fact that one casino operator was running several online casinos.
Moreover, as the casino was operating under a Curacao license, this breach has raised many questions about whether or not players should trust casinos which are licensed by this government.
Curacao licenses have always been deemed the least-strict, especially in contrast to licenses issued by the United Kingdom Gambling Commission (UKGC) and the Malta Gaming Authority (MGA).
This means that it's far easier for unscrupulous casino operators to gain licenses in Curacao and that they don't need to implement as stringent security measures.
How to Keep Your Data Safe at Online Casinos
If you've read this article and started to worry that your data could be exposed when playing at an online casino, then the good news is that security breaches of this nature are very rare. Moreover, there are many extra measures you can take to make sure you're not at risk.
Below we've listed some of our top tips for keeping safe when playing at an online casino.
⚠️ Always Play at UKGC-licensed Online Casinos and Sportsbooks
As we've just mentioned, not all casino licenses are created equal. To ensure you're playing at a secure and regulated site, you should only ever play at an online casino which is licensed by the United Kingdom Gambling Commission.
Not only does the UKGC enforce strict security policies, but all casinos which accept UK players must have a UKGC licence to be operating legally. A site which is accepting UK players without a UKGC license is one to avoid.
⚠️ Always Check You Are Entering Personal Details Over a Secure Server
When you are visiting any website, whether that's an online casino or a social media platform, you should always look for the padlock icon in the URL bar. This shows you that your connection is secure and that your information is private when sent to the site.
If the padlock icon is not showing in your URL bar, this means that the site may not be using a private connection. As such, you should avoid entering any personal information into the site, and may well wish to avoid the site altogether.
On some sites, if the padlock symbol isn't displayed, you may be able to visit a more secure version of the page. To do this, you can simply change the ‘http://' prefix in the URL bar to ‘https://‘ instead.
⚠️ Use an E-Wallet Service to Make Deposits and Withdrawals
Almost all online casinos now offer players multiple ways to fund their accounts. These usually include traditional methods, such as via credit/debit card, alongside modern methods such as e-wallet and pay by phone services.
When making a casino deposit, we'd always recommend using an e-wallet or pay by phone service. This is because they do not require you to enter your banking details at the casino. Instead, you simply use your e-wallet login details.
This means that should a casino suffer a data breach, your card or bank details will not be exposed. Moreover, even if you're e-wallet details are exposed, trusted e-wallet services implement many different security measures. This means that even with a username and password, it may be very difficult for anyone to login to your e-wallet account.
E-wallet services such as PayPal will notice if your account is being accessed from an unfamiliar IP address and ask you to verify your identity by answering security questions or by entering a pin-code which will be sent to your email address or phone number.