BetMGM Ontario’s player information was compromised less than two months after joining the Ontario online casino and sports betting market.
On Dec.21, the sports betting giant informed patrons of a recent data breach that the company believes occurred in May 2022. However, BetMGM Ontario was not aware of the matter until Nov.28.
Based on that timeline, the hack came less than two months after the American-based business entered Ontario’s gambling market on April 4.
Regardless, the heist included names, contact information, hashed Social Security numbers and much more. Importantly, player passwords and account funds remain safe, said BetMGM.
According to CTV News Toronto, despite the ordeal, iGaming Ontario – which oversees commercial operators in the province – remains calm.
“While this incident is serious and is being treated as such, the overall integrity of the Ontario regulated iGaming market is extremely reliable. Operators are required to have strict protocols in place to ensure the protection of people’s personal data.”
1.5 million customers potentially impacted
BetMGM has yet to disclose the exact number of customers affected. They did not immediately respond to PlayCanada’s request for comment by the time of publication.
Nonetheless, an alleged hacker posted stolen data from 1.5 million apparent customers on the dark web following the incident.
Alongside Ontario, impacted regions included New Jersey, Michigan and West Virginia.
To what degree will vary in each case, said BetMGM in a previous press release.
Regardless, potentially breached info could include the following:
- Contact information (postal address, email, telephone number)
- Date of birth
- Hashed Social Security number
- Account identifiers (player ID, screen name)
- Information related to transactions with BetMGM
BetMGM CEO Adam Greenblatt said, via release, his team is already working on bolstering security measures.
“We are taking this matter very seriously and are working quickly to investigate it. The security of our platform and our patron’s data is a top priority for BetMGM. We regret any inconvenience this may cause.”
BetMGM offers identity restoration services for two years free of charge
To that end, reconciliation is already underway.
According to its press release, BetMGM said impacted parties are eligible for credit monitoring and identity restoration services for two years free of charge.
The company also implored players to remain alert by regularly reviewing their account statements and credit report.
Finally, Canadians can also order TransUnion Canada and Equifax credit reports.
BetMGM user: They need to do better
Despite its efforts, some players remain shaken by the incident.
One such example is Marco (name changed). As a long-time user of BetMGM, the gambler told PlayCanada, via email he was unaware of the incident until a friend brought it to his attention.
Regardless, the punter says – after checking – his information remains safe.
But he still sympathizes with those not as fortunate.
“It’s bad. They need to be less prone to hacking, holding that type of financial information for thousands.”
He also said with such a competitive marketplace, these incidents could impact player trust in the future.
“For sure it would make me wonder (if I can trust them). I wouldn’t want to do a lot of business or have a ton of outstanding bets with a company that I was worried couldn’t protect my information.”
Cybersecurity analyst: Any data breach is significant
Ritesh Kotak – a cybersecurity analyst – doubled down on such sentiments.
In his interview with CTV Toronto, the expert said the optics don’t look great for BetMGM – especially considering they are less than a year into operating in Ontario.
“Anytime a company expands, it’s important to understand that cybersecurity and privacy, especially customer privacy, must be front and centre, it cannot be an afterthought.”
Kotak didn’t downplay the severity of the incident either.
“Once you become the victim of any type of break, putting the toothpaste back in the tube becomes almost impossible. Any type of data breach is significant because your personal identifiable information is essentially out there in cyberspace for hackers to leverage.”
“Think about how that information can be weaponized against members of the population you have, identity theft and theft of potential credentials.”
Stay safe(r) by creating new emails, enabling multi-factor login
However, Kotak stopped short of completely absolving players of responsibility.
In fact, according to the cybersecurity expert, he says players can do multiple things to ensure increased online safety, including:
- Creating a new email address and password
- Enabling multi-factor authentication
- Using prepaid credit cards
On that last point, Kotak said:
“You’re not actually putting in your actual credit card information so if there’s a breach, it’s limited to the amount of money you put in.”
Potential repercussions for BetMGM remain unknown
For now, it is unclear whether BetMGM will face significant repercussions in Ontario’s iGaming market.
However, multiple regulatory bodies have inquired into the matter.
For instance, the Office of the Information and Privacy Commissioner of Ontario has already received a breach report from BetMGM.
The Commissioner’s mission is to protect and promote privacy rights within the province. It is now determining the next best steps.
Meanwhile, the Alcohol and Gaming Commission of Ontario — iGO’s regulator — has also gotten involved.
AGCO did not respond to PlayCanada to expand on the matter when contacted, but they addressed it in a previously released statement.
The immediate reaction:
“The Alcohol and Gaming Commission of Ontario (AGCO) is monitoring the BetMGM incident of unauthorized access to Ontario player data. This is a serious concern and we are reviewing BetMGM systems, policies and practices given their regulatory responsibility to protect player information.”
Not the first Canadian data breach and likely not the last
Unfortunately, BetMGM’s incident isn’t Canada’s first gaming cyberattack.
In 2016, Casino Rama fell victim to a 14,000-person hack. Personal files, confidential emails and employee information were all published in the raid.
FanDuel was another target in 2022.
Earlier today, FanDuel’s Sportsbook & Casino app experienced a technical incident in Canada caused by an IT change by a third-party provider. The incident impacted only customers logged in and active for a short period at approximately 12:00pm EDT today. (1/3)
— FanDuel Canada (@FanDuelCanada) September 8, 2022
The number of people impacted remains unknown. But it got bad enough that the company’s platform temporarily shut down when it discovered customer info was at risk.
At the time, FanDuel said it “experienced a technical incident” caused by a technology change by a third-party vendor. Thus, with Ontario’s gaming market still expanding, operators must remain vigilant.
Indeed, player security and safety must become a top concern in the industry.