Paddy Power is apologizing for a four-year-old security breach that saw hundreds of thousands of player profiles stolen.
Hackers made the theft in 2010, but the Irish bookmaker said the hackers did not get credit card information or player passwords.
The company said it waited four years to disclose the breach because it only recently knew the details of the theft. However, many online security experts talking to the Associated Press said the betting firm should have alerted its customers much sooner.
Paddy Power acknowledged that it did know of an attempt to hack its customer’s online accounts in 2010, but did not find any evidence that the attempt was successful.
The company, however, was tipped off in May that a Toronto man had an archive of Paddy Power player information including customers’ names, usernames, addresses, emails, phone numbers, birthdates and security questions—details useful to impersonate the customers and potentially crack into their personal accounts on other sites, the AP reported.
The company is pursuing the matter in Canadian courts, but the unnamed individual has not been charged with a crime as of yet.
Paddy Power will send e-mails to 649,055 customers advising them to change their security questions on all online accounts, the company said.