Flutter Entertainment’s UK and Ireland division has confirmed a customer data incident impacting its prominent Paddy Power and Betfair brands. The breach, which exposed limited personal information for some customers, underscores the escalating cybersecurity challenges facing the gambling industry and broader digital economy. The company has moved swiftly to contain the incident and inform affected individuals.

A spokesperson for Flutter Entertainment UKI confirmed that the incident involved certain personal information belonging to customers of its Paddy Power and Betfair businesses. Details such as usernames and email addresses may have been obtained by unauthorized actors. Additionally, some technical data, including device IDs and IP addresses, along with certain portions of customer addresses (like the first line and city), could have been accessed. Crucially, Flutter emphasized that its investigation concluded no passwords, identification documents, or usable card or payment details were compromised in the incident. While not all Paddy Power and Betfair customers were affected, a significant number, predominantly based in the UK and Ireland, have been impacted.

Immediately upon becoming aware of the incident, Flutter informed relevant regulators and authorities, including the UK Gambling Commission (UKGC) and the Information Commissioner’s Office (ICO). The company promptly initiated a full investigation, supported by external IT security experts, to understand the nature of the breach and to strengthen its network defenses. Flutter confirmed that the unauthorized access has been removed, and the incident is believed to be fully isolated, contained, and resolved. Despite no current awareness of any misuse of the compromised information, Flutter has advised affected customers to remain vigilant for suspicious activity, such as phishing attacks or attempts at impersonation. The company reiterated that safeguarding and securing customer information is of utmost importance.

Broader Industry Cybersecurity Challenges

This data breach at Paddy Power and Betfair follows a series of recent cybersecurity incidents impacting various sectors, highlighting a pervasive threat landscape. Just last month, the British Horseracing Authority (BHA) was targeted in a cyber attack that affected its internal systems and data. Outside the gambling sphere, major UK retailers Marks and Spencer and The Co-op also suffered significant cyber incidents in April. Marks and Spencer’s attack, attributed to a third-party vendor compromise, impacted online clothing orders and gift card services, potentially costing the retailer an estimated 300 million pounds in lost profit. The Co-op’s attack similarly led to operational disruptions and data exposure, though the company reported being near a full recovery by early June. More broadly, the year has seen incidents like MGM Resorts International agreeing to a $45 million data-breach lawsuit settlement after being compromised in two breaches (in 2019 and 2023), one of which took its land-based systems offline for days. Gaming supplier Stakelogic also experienced a cybersecurity incident in March where its CEO’s emails were reportedly hacked.

Industry experts emphasize the constant threat posed by cyber criminals. Chris Blake, director at cybersecurity firm Firesand, has stated that such incidents underline a fundamental truth: “no matter how robust and secure your systems seem, there is always a risk of exposure.” He stressed that “Vigilant and continually-evolving security measures and rapid response protocols aren’t just best practice, they are essential in a world where cyber threats continue to rise.”

The incident also draws attention to ongoing regulatory scrutiny concerning customer data. Earlier in March, a UK High Court ruling determined that Sky Betting & Gaming, another Flutter subsidiary, unlawfully collected and used customer data for marketing without proper consent between 2017 and 2019. The ICO has also reprimanded Sky Betting & Gaming for improperly sharing user data with advertising technology firms. UK regulators are intensifying their scrutiny of customer tracking and data protection practices, indicating that gambling operators may face increased enforcement actions to ensure compliance with data protection laws.

Flutter is scheduled to report its financial results for the second quarter of 2025 on August 7. The incident underscores the critical importance of robust cybersecurity measures and transparent communication in maintaining customer trust and regulatory compliance within the rapidly evolving digital gambling industry.