Some placed bets with other peoples' money
The B.C. Lottery Corp. disabled its online gambling site last week because the accounts belonging to 134 users had been compromised, organization president and CEO Michael Graydon said Tuesday.
Graydon said that after a major relaunch of the website on Thursday, about $8,000 was wagered by accounts controlled by someone other than the owner and in 12 cases, users were able to view other people's personal information.
In one case, he said, the last four digits of a person's credit card were compromised. In another, the breach revealed banking information "similar to what you would find on the bottom of a personal cheque."
The explanation comes in stark contrast to what B.C. Lottery Corp. had said previously on why it had disabled its online gambling site, PlayNow. com, just hours after a major expansion and relaunch on Thursday morning.
In an interview Friday afternoon, a company official said the site was taken down because it was overloaded with traffic, leading to "slowness" or "not good responsiveness."
Company vice-president Kevin Gass made no mention at the time of a security breach.
On Tuesday, Graydon said the company opted not to reveal information about the breach until it knew what had taken place, and until after it had informed those who had been affected.
"Our first priority was really to our players and making sure we got to them first," he said.
"We wanted to make sure that they heard from BCLC and not read it in the newspaper."
Critics were quick to pounce.
"It's very concerning that they spun this on Friday — the minister and the corporation — as being about too many enthusiastic people wanting to play on the site," said New Democratic Party critic Shane Simpson.
"We now know that they were fully aware on Friday that this was a security breach," he added, saying the response by both government and B.C. Lottery Corp. was "not honest".
Minister of Housing and Social Development Rich Coleman, who is responsible for the B.C. Lottery Corp., was not available for comment Tuesday.
Staff in Coleman's office referred all questions to Graydon.
"We haven't lied to anyone," said Graydon.
"We've only been open and transparent with the customers affected. We identified them very quickly and we communicated with them very quickly."
Officials at B.C. Lottery Corp. said staff in the IT department had noticed Thursday the site was lagging, but were not aware of the security issue until contacted by a user.
"A PlayNow. com player contacted BCLC's consumer services department to report that he had seen another player's account information," said a statement issued by the company.
"BCLC immediately contacted the other player and very shortly after that made the decision to close down the website so that we could investigate and make a thorough assessment of the situation."
Graydon added the decision to pull down the site was made immediately. The site was offline by late Thursday afternoon.
He added the software for the site is provided by OpenBet, which he said has been in business for more than 11 years.
Graydon said the problem was due to a data crossover — a malfunction during which some players were switched by accident from their own account into someone else's, often without them realizing.
Once people were in another person's account, he said, they had the ability to view the other user's personal information and bet with their money.
Graydon said the issue led to about 134 accounts being compromised.
He said B.C. Lottery Corp. officials have been able to retrace the steps of each account and are now working to reconcile all accounts while also ensuring all winnings are honoured.
He added this review of account activity has also determined that in 12 cases, sensitive personal information was improperly displayed.
Graydon said B.C. Lottery Corp. has been in touch with everyone affected, and is providing services to eight customers to ensure their identity is protected.
He added he does not believe the issue will shake people's confidence in his organization.
Graydon said the data crossover problem resulted from a deluge of traffic, adding that tens of thousands of people came to the site after Thursday's high-profile relaunch of PlayNow. com.
"We had volume assumptions and we tested against those assumptions," he said.
"Obviously our assumptions were incorrect."
On Tuesday, Information and Privacy Commissioner Elizabeth Denham said B.C. Lottery Corp. told her about the issue on Friday, and said she has so far been pleased with its response.
"I think they've been responsible," she said.
"I also think they've been really cooperative and have implemented all of the recommendations we provided to them on redress for affected individuals," she added.
Denham said she would like to see an assurance all issues have been resolved before the site again goes live.
In a statement issued Tuesday, B.C. Lottery Corp said: "PlayNow. com will be restored when a solution is implemented that meets the highest levels of player protection and receives third party approval and regulatory certification."