B.C.'s privacy commissioner has confirmed that a breach that compromised users' account details forced the shutdown of the B.C. Lottery Corporation's new online casino PlayNow.com just hours after it was launched last week.
Elizabeth Denham said the personal information of more than 130 people was inadvertently shared with other customers on the website.
The problem was not caused by a hacker, Denham said, but by "data crossover" that made the names, contact information and, in some cases, credit card and bank information visible to other gamblers using the site.
The site will not be back up until the problem is fixed, Denham said, adding she has asked BCLC to pay for a credit monitoring service to ensure the victims of the breach won't be targeted by fraudsters.
BCLC confirms breach
BCLC initially blamed the shutdown of the website on an overwhelming rush of customers when it was launched last Thursday, but made no mention of a possible breach of customers' privacy in its initial statements.
"High player volumes to the Playnow.com website on July 15 exceeded server capacity, creating traffic and load issues," said a statement released by BCLC on Monday.
But on Tuesday it issued a statement confirming the website was actually shutdown because of the privacy breach.
"Due to tremendous interest and traffic associated with the launch of casino games on PlayNow.com on July 15th, BCLC servers experienced load issues causing what is technically referred to as a 'data crossover,'" the statement issued on Tuesday said.
"Upon learning of this situation, BCLC took immediate action to shut down PlayNow.com, enabling a full assessment to occur.
"These 134 accounts could have been inadvertently accessed by any one of up to 105 players who were also online at the time. BCLC's assessment concludes that 12 of these 134 accounts had a measure of sensitive personal information viewed by another player," the statement said.
The statement was not clear about whether the cash value of any of the players' accounts had been affected by the breach.
"All impacted players have been contacted. … BCLC will reconcile all accounts impacted by the crossover of data as well as honour all winnings during this period to the benefit of all players involved," the statement said.
NDP raises privacy concerns
Before the privacy commissioner confirmed the breach, the B.C. NDP said the continued disruption of the site was raising concerns about the protection of personal information and called on the government to tell the public what is going on with the new gambling website.
"The B.C. Liberal government must tell British Columbians what is going on," said MLA Shane Simpson. "The suggestion by at least one expert that the site crashed because it was hacked is troubling.
"If the government is going to get into online gaming, they need to protect people's privacy. People want to be able to trust that their private information, from credit card numbers to gambling histories, is not being compromised."
The gambling website crashed just hours after its launch last Thursday and has yet to be restarted. Billed as the first government-sanctioned online casino in North America, the site was immediately controversial.
That led some computer security experts to speculate that hackers may have targeted the site with an overwhelming number of hits in order to disrupt the servers.
But officials at BCLC have been quick to deny such speculation hackers were involved.
"BCLC's assessment, verified by third party security experts, shows no evidence of external interference or 'hacking,' said the statement issued on Monday.
Botnets can overwhelm websites
But Vaclav Vincalek, the head of Pacific Coast Information Systems, said the high number of hits the website immediately experienced could have been created by a hacker tool called a botnet, which the corporation might not have recognized as hacking.
Setting up a botnet involves sending out a computer virus that lies dormant in a network of home computers. The hacker then activates the virus and all those computers start sending normal looking information and requests to one target website at the same time, overwhelming its servers.
Botnets involving as many as 1.5 million computers have been detected on the internet by police, but most are estimated to involve an average of 20,000 computers, in order to avoid detection.
In some cases, botnets are created in an attempt to extort money from the operators of websites, said Vincalek. "So you build your army of botnets and you go after the gambling website like this … and you say, 'Look, you either pay us X amount — $100,000 — or we shut you down,'" said Vincalek.