Gambling website Paddy Power has been labelled as 'irresponsible and senseless' after its delay in revealing that over 600,000 users' customers details were stolen as part of a data breach in 2010.
The dataset contained customers' names, usernames, addresses, email addresses, phone contact numbers, date of births and security questions and answers. The firm emphasised that customers' financial information such as credit or debit card details were not compromised and are not at risk, and that account passwords had also not been compromised.
"Paddy Power's account monitoring has not detected any suspicious activity to indicate that customers' accounts have been adversely impacted in any way," the firm said.
The company said that the accessed data alone would not have been sufficient to enable access to a Paddy Power customer account. The 649,055 customers affected have been told to update their security question and answers on other websites where they use the same details.
But questions remain as to why the online gambling firm has only just publicly disclosed a breach that took place four years ago.
Paddy Power claims that the full extent of the 2010 data breach only became known in recent months when it took legal action in Canada. It was told in May that a man in Canada had a large database of information that he had retrieved from the attack. The man's computers were seized after the company was granted court orders to take a look at the devices and analyse the data on them.
However, the company said it had been aware of the attack back in 2010, but did not inform users of the breach.
George Anderson, director of internet security firm Webroot, said that it was "shocking to see that Paddy Power had waited over four years to inform its users of the cyber-attack on the company".
"Waiting four years isn't just irresponsible, it's senseless," he said.
He suggested that the first step in a situation like this should be to inform customers, particularly if they are advising people to change their security questions and answers on other sites as a security measure.
Paddy Power suggested that its own customer accounts had not been compromised but Mark James, technical team leader at antivirus software provider ESET, believes that the data is often not used for that purpose.
"It's the basis for other activities and that's why the end users need to be informed as soon as possible," he said.
But his colleague, David Harley, who is a senior research fellow at ESET, believes it is nothing new for companies to wait before releasing details of a data breach.
"Intentional long-term non-disclosure is not new, although the trend recently has been away from that because in several jurisdictions non-disclosure may incur legal sanctions if it's not in the interest of its customers," he said.
He said that companies may be less likely to volunteer information until it becomes necessary, for fear of inviting legal action, especially class actions.