Chain and perception: A player data breach can impact every part of a business

Recent industry data breach events have prompted me to return quill to papyrus, because they have got me thinking. The rabbit hole dive started with the old adage of a chain being only as strong as its weakest link.  

I had been looking at some cybersecurity information because of some work I was doing and I remembered how, at one of the hacker expos in Vegas, they used to challenge attendees to gather as much personal data as they could in the city using only equipment available to the general public – i.e. over the counter in Radio Shack or wherever.  

They scooped data out of the air, driving up and down The Strip, plucking card details and much more. One of the least secure areas in a standard resort, it turned out, was the handheld payment devices in restaurants. 

There is a human on the other side of every data breach

I got married in Vegas several years ago. Elvis was at the wedding and fun was had by all. When I got home, I discovered that my bank account had been wiped clean. No idea how or when or where, but I was freshly married, moving into a new house, and it was right before the Christmas and New Year holiday. I mean, we were screwed.

The bank was awesome, took care of everything, but it still took three to four weeks because of the holidays and where the weekends fell that year. Thankfully my mum’s wedding gift to us was our first two months’ rent, so at least we didn’t get kicked straight out.  

Why am I sharing this? Because when customer information is stolen during a data breach, there is a human being on the end of that, getting absolutely dicked. Not a statistic, not one of hundreds of thousands of people, just one person, an individual victim of… Well, of what? A crime, sure. But who is responsible for that crime? 

Customer perception 

It got me thinking that customer perception is incredibly important in a brand-driven industry. Say, for example, that my details got scooped up by some Radio Shack enthusiast and sold on with a tranche of other unlucky mugs.

Say I was using a Burger King franchise in Caesars (for the record, I don’t even know if there is a BK in Caesars and I’m using them because I never, ever eat at BK. ‘Have it your way’, my arse) and my details got plucked out of the air and sold on.  

As a fairly straightforward, surprisingly handsome, but quite short human being, how would I describe that to my friends and family, or on social media? 

“My details got stolen when I was at Caesars in Las Vegas.” 

The point here is that while it is a BK franchise and nothing really to do with the parent property, the perception is not the same thing at all. Logic has no place in this whatsoever. And that perception is what’s going to tarnish your brand – and there is absolutely nothing you can do about it. Isn’t there? 

There was a case recently in Germany where Merkur had a tonne – an absolute tonne – of player data stolen and it came about because of an issue with a supplier for their online casino, The Mill Adventure (TMA) . As any cyber professional will say, you might get 99 things perfect, but the opportunist hacker only needs to find the one thing you missed and… that’s that.

Following the supplier chain

I am certainly not pointing a finger at TMA, just saying that your suppliers can be weak(er) links in the chain and, from the outside, you only have their assurances that all is well, that they have a plan for events like this and more.  

The only way to mitigate this is surely to have contractual clauses requiring evolving security standards and to demand the highest standards from every supplier you have. 

And for every supplier they have and for all of their supplier suppliers and so on down the chain. It reminds me of the British government’s HIV awareness propaganda in the ’80s, where they pointed out that if you had unprotected sex you weren’t just having sex with that person, but with everyone they had slept with without protection and everyone they had slept with and so on.  

In this context, the UK Gambling Commission’s tools to fight against the black market make a lot of sense; it’s a similar approach, just in a positive, non-destructive way. Bear with me here.

The Gambling Commission CEO Andrew Rhodes said, back in November 2024, that industry stakeholders should “all undertake due diligence to ensure none of your suppliers are directly or indirectly engaged in supporting unlicensed activity in this market”.

“The Gambling Commission’s strategy on combatting illegal gambling is to cause as much up-stream disruption as we can, which is why we have focused on ISPs, payment providers, search engines, software suppliers and more.”

Well, if you’re going to do that (and it makes sense, surely?), then this is not even an extension of that. Your suppliers and business contacts hold your reputation in their hands and you don’t even know if they washed them after using the toilet.  

Branding, schmanding 

I got an email the other day saying: “Branding isn’t just about visuals; it’s about emotion. Every colour, word and experience influences how customers feel about your business. A strong emotional connection builds trust and encourages repeat business.”  

Well, that can all be wiped out in a very short time. Not just because of a data breach, identity theft, money disappearing, but it’s also about how you handle the problem. What do you do about it?

Negative events also provoke an emotional response, one that no brand can control; it’s great to have a plan to manage negative events, that’s why we need to have a realistic plan, including meaningful reparation or whatever to those affected.  

But you can prevent a player data breach in the first place to a large extent by making sure the people you are working with are also doing everything they should be. Because your reputation is also in their hands and vice versa. 

Also recently, I got an email from the people handling the disbursement of the MGM money going out to people whose details got stolen. I didn’t reply because, seriously, looked like a scam.