Surebet247 Data Breach
Surebet247, one of Nigeria’s most popular online betting has suffered a potential security and data breach which has put thousands of their customers and their systems at risk. – iafrikan
According to Troy Hunt – Australian security researcher and Founder of haveibeenpwned, the data was found by an anonymous source who tipped him. Troy Hunt’s attempt to reach out to SureBet247 proved abortive.
While Troy was trying to get the attention of Surebet247, he sort the support of Tefo Mohapi – a journalist in South Africa whom he had worked with on the massive Master Deeds breach in 2017.
I often use journalists I trust like Tefo to get in touch with unresponsive companies as they’re very good at making them sit up and pay attention. – Troy Hunt.
What is interesting was when Tefo was following up with Surebet247 and he asked “Any update? Have your customers been notified of the possible security breach and data breach? Any Comment ”
Surebet247 replied “This is ours to decide”
“It was only on Tuesday 31 December 2019, after I tried various methods of getting hold of the people at SureBet247, that eventually there was a response. However, the frustration continued as the company continued to display a nonchalant attitude to the potential security and data breach they could have suffered.
When I alerted one of the Nigerian betting operator’s customer care agents that we need a person that we can get in touch with and explain the breach and the data that was able to be accessed and possibly see how they can secure their systems, the agent answered, without asking for any further information, “We have done that sir. Thank you.”
Realizing that perhaps the agent doesn’t understand the urgency of my communication, I asked if there’s a technical support person I can get in touch with at SureBet247, I was referred to the same e-mail address that Hunt had e-mail before. Just like him, I received no answer from their technical support.
At this point, a day later, I contacted the customer care agent again trying to explain how serious this is and at minimum, they need to alert their customers of the potential breach and the risks they face should their data fall into the wrong hands. Furthermore, I explained to the agent that it is better if they alerted their customers rather than they hear of the data breach via media publications, the agent responded by saying:
“That is ours to decide.” ” – Tefo Mohapi
This reply only shows that they do not care about the data breach neither do they care about their customers data. The NDPR implementation framework mandates organizations ….
While all this was going on and Tefo Mohapi‘s writing about the data breach had Surebet247’s attention and they went legal.
According to Troy Hunt,
“I’ll refrain from posting the entire messages he received as they were a bit, well, “legal”, but they came from a combination of Surebet247’s founder, Sheriff Olaniyan, and a south African attorney they’d retained. The former stated that they “seriously frown at this malicious news been [sic] promoted by your organization” and that they “will not hesitate to take legal action if you don’t stop and bring this down”. It continued with “No customer data of ours was hacked or exposed” and that Tefo’s story amounted to “fake news” (yes, seriously, they went Trump on him). Now, keep in mind that at this stage nobody from Surebet247 had replied to me and subsequently, nobody had seen the data I’d been sent. Yet somehow – magically – they had determined they were in the clear.”
They made a tweet in regard;
” Kindly ignore the information going round about a hack into our system which has exposed your information with us. All sensitive private and financial information are stored on a secured server and protected by the best firewall to prevent intrusions.”
I guess we didn’t see that coming!
The Director General of NITDA and CEO of NITDA – Mr. Kashifu Inuwa Abdullahi, has giving an order for the incident to be investigated by the NITDA’s Data Breach Investigation Team.
“We are also sending a letter to the affected company to provide further details before we make our conclusions. NITDA appreciates the efforts of people like you who genuinely seek to reduce the flagrant breach of personal data globally,” reads part of the message the NITDA sent to iAfrikan.
Violation of European Unions GDPR by SureBet247
A German citizen (stefan) who also lives in Germany confirmed to iAfrikan that the e-mail address and other personal information that was found as part of the data dump provided as proof of the data breach are his details. He also confirmed that he did register with SureBet247 during 2014.
“[I registered] Probably shortly before 12 Feb 2014. On that date, I got the first email, a newsletter from them. For some reason, I cannot find any actual response e-mail to my registration. Maybe they did not send one. Usually, I do not lose mails,” remarked Stefan when confirming to iAfrikan that he did register with SureBet247 as a customer.
Is the European Union’s GDPR enforceable in Nigeria?
“It’s worth noting, in this case, that the GDPR applies extraterritorially, meaning that if a company collects data from someone in the European Union, the company is required to comply with the GDPR. However, if a Nigerian company is found to be in violation of the GDPR, it’s not entirely clear how or whether EU regulators would enforce the law,” Read more