Has Merkur’s player data breach raised further questions on security?

On 15 March a software engineer and ethical hacker in Germany, named Lilith Wittmann, published an exposé on a player data security breach she had discovered across a number of Merkur Group’s betting sites in Germany.  

Within her Medium blog, Wittmann said she had been able to access hugely sensitive player data through a GraphQL query, including banking details and sign-up information. This data belonged to those holding accounts across Merkur’s Slotmagie, Crazybuzzer and Merkurbets sites. 

Wittmann presented a report to the German gambling regulator (GGL) detailing the breach, which she said had enabled her to access over 800,000 people’s data, German news site Heise reported on 15 March.  

In a statement emailed to iGB, one of the impacted suppliers, Malta-based gaming platform and games provider The Mill Adventure, said the breach had been “an unprecedented event for our systems and we took immediate action to address the issue”. 

A spokesperson said the company had taken swift action and has collaborated with top cybersecurity experts to further harden its defences, “to ensure even greater protection for the players”.  

“Moving forward, we remain fully committed to maintaining the highest security standards so that all player data stays safe and private, as it should,” they said.  

How did the GGL respond to the breach? 

What followed was a public reprimanding from the GGL, which saw The Mill Adventure, alongside Cashpoint Malta and Solis Ortus Service, placed on a public warnings list on the GGL’s website. 

The note said the suppliers had failed to meet their obligation to carry out an annual pentest (penetration test), which helps to uncover potential weaknesses within a system. This led to a lack of security for player data on the domain www.slotmagie.de.  

It said the breached data had included player IDs, nicknames, genders, time of LUGAS (self-exclusion register) registration, time of last login, payment statistics, limit histories and also payment profiles.  

The Mill Adventure was given until June to remedy the fault and meet its obligation. In a statement to iGB on 19 March, the GGL said three suppliers had been contacted by the regulator about “IT-security vulnerabilities” and were told to address them.  

But it said the regulatory violations had since been resolved. The GGL declined to answer additional questions on whether the impacted players could be eligible for compensation, nor what, if any, actions the supplier and operator could face due to these failures.  

Are the breached players further at risk?  

However, one local legal expert told iGB the regulator has a host of measures it could use to reprimand these failings.  

In its investigation, the regulator will have reviewed the scope of the leak, the reasons behind why it happened and whether the providers involved had carried out the required security tests, the source says.

From there the GGL could choose to suspend the licences of those involved, effectively suspending the operational business with immediate effect.  

“Alternatively, they could reduce the licence term by a quarter of the whole licence period, which usually is five years and would probably end in 2027. Lastly, the regulator could withdraw the licences altogether, cutting off their business with immediate effect,” the source comments.  

But, in terms of GDPR, the regulator could also be at risk in this case, as it is responsible for its own data processing.  

Notably, the breach could have resulted in a serious security risk for the players impacted. If hackers were to submit a request to the GGL using the breached player IDs, they could obtain further data on these respective players.  

“If Ms Wittmann or someone else had actually used the stolen player ID to request further player data from the GGL [as per Article 15 of the GDPR regulations], the GGL’s technical and organisational measures would certainly have been insufficient [in protecting the players]. There would be strong indications of a data breach at the GGL, if this had happened,” the expert warns.  

“To me that sounds as if nothing has been resolved yet,” they add. 

Have the operator and regulator downplayed the risk impacted players could face?  

Wittmann did not respond to requests for comment from iGB, but in an interview with Heise on 19 March, she said the operator in question “didn’t give a damn about the security of players’ data”. 

“We’re not talking about a few accidentally left open security gaps here,” she adds.  

Wittmann also highlighted the risk that the GGL could be implicated if hackers obtain additional player data from the regulator, using the breached information.  

In her interview, Wittmann also suggested Merkur was using weak and outdated KYC processes.  

Merkur responded to the incident via an FAQs page uploaded to its impacted sites, informing players of what had happened in the breach.  

On its SlotMagie site, the operator said: “We take the protection of your personal data very seriously and maintain comprehensive, market-standard security standards to protect your personal data.  

“You can be assured that we will adequately protect your data. The fact that the white hat hacker was still able to access the data only demonstrates that no system can be 100% secure.” 

We’ve seen cases like this before 

This is certainly not the first case of a security breach impacting player data in the sector. In November 2022, Joseph Garrison in the US launched a “credential stuffing attack”, in which he and other hackers successfully accessed approximately 60,000 DraftKings accounts using leaked player data.  

According to a department of justice statement on Garrison’s sentencing, he and others stole about $600,000 from approximately 1,600 victim accounts on DraftKings. He was ultimately sentenced to 18 months in prison.  

The high-profile case prompted US regulators to consider industry standards that would better protect operators and their consumers from cyber-attacks.  

But regulation and guidelines can only do so much to protect operators from similar threats and some stakeholders believe cyber security is low on the priority list. 

Speaking to iGB, a gaming sector cyber security specialist says the industry’s investment in security is “not at the level where it really ought to be, when compared to the fintech industry, particularly online banking or trading”.  

“There’s lots of reasons for that,” he adds. “I don’t think companies are unaware that there are real risks. I don’t think there’s any intent to throw their hands up and say, ‘I don’t really care about this.’ But there’s so much to deal with in this sector, and it’s an increasingly margin-compressed one, so something is going to give.”

How big is the risk to player data?

Commenting on the Merkur case specifically, the source says credential stuffing is clearly happening across platforms like Telegram and the dark web. “You can easily see that this is not a highly isolated event.” 

But he believes investment in security is growing. “If you’re a young company or a startup in the space, it’s very difficult to [implement best practice], so you’re going to take some kind of calculated risks. But the bigger operators now, according to anecdotal information, are leaning in harder. The amount of investment [in cyber security] is growing.”  

Ultimately, he says, players should not believe they are at high risk of having their sensitive information leaked on the dark web. And when asked whether regulators are well equipped to deal with these threats, the source notes: “From what I see, regulators understand the topic more than well enough to fulfil the responsibilities of their job, but there are practical limits to their resources.”