A server “fault” at 32Red meant some of its customers were able to view the account balance and partial card details of other customers at the online casino, as well as some personal data.
32Red confirmed to Verdict that “118 accounts were potentially affected by the technical issue” that forced the company to close its site for maintenance last week.
On the morning of 18 February, 32Red users that logged into their account were shown the account holder name, last four digits and expiry date of other customers’ cards instead of their own. A “limited” number of usernames, names, addresses, email addresses and mobile numbers were also exposed to other 32Red customers.
“The technical issue was caused by a fault in a server that handles session information,” a spokesperson for Kindred Group, 32Red’s parent company, told Verdict.
The breach also meant that incorrect account balances were displayed to those who were logged in while the technical issue was ongoing.
One 32Red customer, who did not wish to be named, told Verdict that he was playing roulette when he noticed his balance was half of what it should have been.
“I then noticed money being deducted at the start of the spin and at the end. At first, I thought it was a glitch that might correct itself if I needed to top up,” he said.
“Eventually I did need to top up as my credit was being drained super-fast. Upon trying to top my balance, my cards weren’t present but two others were. I then suspected being hacked and someone set up in my account to steal my money.”
After he contacted the gambling company, 32Red said it was aware of the problem and was conducting a full investigation.
The customer added that he could see “other people’s monies and cards within my account, randomly changing”.
His balance of £42.50 was wrongly switched to 5p and at the time of publication had not been rectified.
Another 32Red customer said via Twitter:
“I watched my money drain from my account. I then refreshed to see someone else’s account with my debit card listed. I had a win yesterday and did a withdrawal last night of £150 so I’m hoping this doesn’t affect that. The fact they haven’t alerted anyone is a bit of a bad move.”
32Red told Verdict that it is in the process of fully restoring any account balances that were affected, adding that “there is no financial impact to any 32Red.com customer”.
The Gibraltar-licensed firm said it had notified the Gibraltar Regulatory Authority and would be contacting affected customers today.
The spokesperson stressed that “no financial transactions were made to or from incorrect payment cards”.
In a statement to Verdict, 32Red said:
“On Thursday morning 32Red, part of Kindred Group, experienced a technical issue on its platform and was taken offline. The issue has now been fixed and all facilities fully restored. The issue caused a breach of data concerning a small number of customers that were logged in at the relevant time.
“We have completed a full investigation and have reported to the relevant authority. We are also in the process of contacting affected customers.”
While the number of people affected is comparatively small and the type of data exposed is limited in the context of other breaches, it still comes with risks according to Jake Moore, cybersecurity specialist at internet security firm ESET.
“Malicious actors can do a lot of damage with even a fraction of data that is leaked – even the last few digits of a card number to other customers as it can easily make its way into the wrong hands,” he told Verdict.
“Often people do not realise the significance of such stolen data and what can be done with this small set of sensitive information. Furthermore, if used in conjunction with other breached data it can soon become a joining the dots exercise on the dark web and black markets.
He added: “Cybercriminals can cleverly and rapidly create phishing communications targeted on those to extract even more data where necessary. Therefore, it is vital that those affected are not only made aware of the compromise as soon as possible but they must remain on high alert to fraud and should think twice before communicating with any email or phone call over the coming weeks.”
This article was updated to include that usernames, names, addresses, email addresses and mobile numbers were also exposed.