Flutter investigates player data breach affecting significant number of UK customers

Flutter Entertainment has initiated an internal investigation after customer data was leaked from its Paddy Power and Betfair products.

iGB understands “a significant part” of Flutter’s UK customer base across Paddy Power and Betfair were affected, with user names, email addresses and first lines of home addresses among the information taken.

The breached player data also included details of some recent activity on accounts and technical data such as device ID and IP address.

‘Significant’ number of players impacted by data breach

According to Flutter’s 2024 annual report, the operator overall has 4.2 million average monthly players in the UK and Ireland (UKI) across all Flutter brands.

Flutter said the incident has been contained and the accounts have not been suspended. A source close to Flutter said no customer passwords, ID documents or usable card data was taken. All affected players were informed about the breach by email.

It is understood that Flutter was not legally obliged to inform customers, due to the limited amount of player data breached, but felt it was the right course of action. Flutter also informed the Gambling Commission and Information Commissioner’s Office.

Investigation into data breach initiated

The investigation was initiated as soon as Flutter was informed of the player data breach.

A Flutter UKI spokesperson told iGB: “Immediately upon becoming aware of this incident, we informed relevant regulators and authorities and initiated a full investigation, supported by external IT security experts, to understand what happened and how we can better protect our networks and customers. The unauthorised access has been removed and the incident contained.”

Player data breaches across the sector

Player data breaches are not uncommon across the sector. Germany’s Merkur was impacted by a widespread player data breach across a number of its operator sites in February.

This was uncovered by an ethical hacker who found very sensitive information like banking details had been hacked and could be at risk.

Merkur assured players their information was unlikely to be accessed by others, but the German gambling regulator ordered the operator to harden its cybersecurity enforcements to prevent any further breaches.

In June, the British Horseracing Authority was hit by a cyberattack that led to a temporary closure of its London office.