Curacao-Licensed Casinos Exposed ‘100 million’ Gambling Transactions in Security Breach

Security should be a priority concern for online casinos. From ensuring gamblers get the safest possible experience to protecting the website site and servers from external hacks, security thresholds are a licensing issue, let alone a credibility issue for reputable online casinos.

A cautionary tale then from Cyprus and Curacao, where a group of online casinos inadvertently exposed the details of over 100 million gambling transactions. While there is no suggestion of malicious intent, an internal server which allows administrators to search through this kind of data was left without password protection.

First uncovered by security researcher Justin Paine, as reported in ZDNet, the public facing information was clear enough for him to deduce it was related to a group of online casinos, offering games including table games and slots.

According to the article, the exposed ElasticSearch server should never have been exposed online.

“ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps’ data indexing and search capabilities. Such servers are usually installed on internal networks and are not meant to be left exposed online, as they usually handle a company’s most sensitive information.”

“Last week, Paine came across one such ElasticSearch instance that had been left unsecured online with no authentication to protect its sensitive content. From a first look, it was clear to Paine that the server contained data from an online betting portal.”

Several sites were mentioned by name in the article, including kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, some of which appear to be based in the same office building in Cyprus, with others sharing a Curacao license.

Alongside basic transactional information such as deposits and withdrawals, the server also exposed details like names, addresses, emails, phone numbers, date of birth, and much more besides. Alarmingly, payment information was also vulnerable, albeit partially redacted.

While the site operators were approached by ZDNet for comment, none have as yet issues a response. The server has however been taken offline, though it is unclear whether this was a move on the part of the companies involved or their cloud provider taking proactive steps to protect their client.

Curacao has long been expected to be upping its game, as far as regulating online casinos is concerned, following growing pressure from the Dutch government to tighten up its licensing conditions. This latest embarrassing and potentially harmful breach will only add more impetus to that effort, which was previously described by the Curacao Gambling Board as a means to tackle “illegal providers.”

The news of the security breach should serve as a wake up call for all gambling operators, and provides yet another chance to review security measures. Depending on where an operator is licensed, breaches of this kind can and should result in the severest of penalties.

With regulators like the UK Gambling Commission renowned for expecting high compliance standards from their licensed operators, the breach is yet further confirmation that this level of oversight is essential.

Of course, there’s a balance to be struck, and not all regulation is good regulation. But when it comes to security, and in particular safeguarding the personal details of players, there’s no excuse for operators not to get it right.

While the data breach in question was not necessarily used to nefarious ends, it could just have easily fallen into the wrong hands. Gambling operators, wherever they are based, have the duty to make sure this doesn’t happen again.