In my previous post, I detailed a stupidly easy information disclosure issue at the international betting and gaming website BetVictor, where usernames and passwords for various back-end and 3rd-party systems were exposed for all to see.
Since publishing the post, the story has been picked up by numerous media websites including ZDnet, Motherboard and The Register.
To try and understand the severity of the problem, I contacted management and the media department at BetVictor to try and get a statement. This would have provided the needed reassurance to their customers that no personal information was at risk or had been disclosed, and that any credentials exposed were old or no longer in use.
I initially asked for a statement or comment in the e-mail thread containing the original vulnerability report. I asked some simple questions including a confirmation that the issue was fixed, and what, if any, customer information was at risk.
The reply came back in around an hour. BetVictor stated that at the time, investigations were ongoing and that they were unable to answer the questions raised.
They requested sight of the original blog post prior to publication to “… see if we would like to add any comments”, however it was not possible to facilitate that request.
The following day, I responded by requesting an update when the investigations had concluded and also asking some very basic questions regarding customer’s data — whether any was at risk and whether any was exposed.
With GDPR now in force across the EU, it is important that companies report any security or data breach to the relevant authorities within a certain timeframe — usually 72 hours. I wanted to ascertain the nature of the breach to see whether BetVictor would need to report under the regulations.
At this stage, the contact centre management team defers the request to their media department. It appears as though the line of questioning may be affecting them given the spelling and typographical mistakes in the one-line response.
I prepare an e-mail to the media department. In it, I outline the nature of my enquiry and the reason for my contact — to try and get a reassuring statement for their customers.
A list of seven questions is included, covering the points I would like BetVictor to address in their statement. Once again, I ask if any customer data was at risk or potentially exposed.
There was no response to this enquiry. No e-mail was received on the 28th, 29th or 30th of June. The media department remained silent.
During the evening of June 30th, my attention was drawn to the BetVictor Twitter account. A user had asked BetVictor whether their website was secure given the nature of my discovery. The response stated categorically that there was “no breach of security/customer information”.
This seemed odd.
We knew that there was likely a security issue because of all the passwords that were disclosed. Plus, BetVictor had already provided a statement to The Register, confirming that they had prevented access to external systems that had not expired — suggesting that at least one of the exposed pairs of credentials were current.
“As soon as we became aware of the problem we disabled the Help Centre and prevented external access to any systems that had not expired.”
https://www.theregister.co.uk/2018/06/27/researcher_wagers_betvictor_is_lax_on_password_protection
I called the BetVictor Twitter account out on this point, in attempt for them to clarify the position. I also enquired why they were not providing this kind of firm assurance to me in a statement.
Once again, I am directed back to the media department of BetVictor. The one that has been silent for days. The BetVictor Twitter account is not willing to clarify how they are able to provide such a strong reassurance.
Why will BetVictor not make further comment on social media? It was easy for them to state “no breach of security/customer information” in an earlier tweet, so they must have evidence to back up this claim? If no customer data was ever at risk then surely it would be trivial to provide a simple statement confirming this and providing customers with reassurance?
🤔
I responded with screenshots of the e-mail I had sent to the media department, including the dates that it was sent and the fact that I had not received a response to my enquiries.
I left them alone as they obviously didn’t want to talk to me further.
How nice of them.
I once again fire off an e-mail to the apparent media team. I referenced the strong assurance that the Twitter team was able to provide directly to a user and once again asked for a statement or comment regarding my earlier questions.
Why can they be so sure? If there was no risk of customer data, then provide a statement saying so. This isn’t rocket science.
Of course, if customer data was at risk, why would the BetVictor Twitter team provide a potentially false assurance to a user? Why would it take so long to provide a statement, especially given the timeframes set out under GDPR?
I have yet [July 9th, 09:45 GMT+1] to receive any response to either e-mail sent through to the media department. If this changes, I will include it here.
UPDATE — 9th July 2018, 09:50 (GMT+1)
I have yet to hear anything back from BetVictor. Their customers deserve to know if their information was safe or at potentially at risk. It is such a simple question to answer — why are they stalling? I send another couple of e-mails.
UPDATE — 11th July 2018, 11:10 (GMT+1)
A rare reply is received, but this time from the BetVictor contact centre management. They pull up the drawbridge. Why are they still refusing to say “NO USER DATA WAS AT RISK”? I think we can guess at the probable answer.
I am now more determined than ever to find out what they are hiding.
As it currently stands, we are no closer to finding out the true impact of the disclosure of the BetVictor credentials.
How many of the systems and passwords were correct? We have no idea.
Was customer information ever at risk? We can’t be sure.
Were BetVictor’s systems accessed without authorisation? We don’t know.
Is this the best way to handle legitimate requests and questions about a potential security issue? NO.
Note : In the writing of this post, I opted not to contact BetVictor for a statement about them not providing a statement. I think you will understand why.