A Canadian man, Jason Ferguson, is currently under an ongoing investigation after he tried to resell hacked data of 650,000 customers of the Irish bookmaker, Paddy Power, for the price of 7,600 Euro (or a fraction over one cent per person). The hacked files, containing the names, email addresses, emails and birthdates were initially illegally obtained in 2010 before Jason Ferguson allegedly bought it from an unnamed online seller in Malta.
While personal data of thousands of consumers have been exposed in this incident, Ferguson believes he did not commit any crime as he claimed to have legally purchased those data for marketing purposes before trying to sell it as a “data broker”.
This data breach also puts the light on the lack of oversight in the activities of data brokers. While Canada and the EU have an established adequacy mechanism for the protection of personal data, it did not suffice to stop Ferguson from buying hacked data or to punish the infringement. At a time where the EU is trying to adopt a new framework for data protection, enhancing users’ control over their personal information, greater control over data brokers operation must be adopted.
Studies have already pointed out the incredible journey your personal data can take, when purchasing online for instance, leading your information to end up in the hand of businesses or persons you never heard of before, such as Jason Ferguson.
International instruments exist to fight against cybercrime in order to reduce the number of these types of incidents, such as the Budapest Convention on Cybercrime. It is unfortunate however that several countries, such as Canada, who was involved in the drafting process and signed this Convention feel no particular need to implement measures to address such abuses nor, indeed, to sign or ratify the Council of Europe Convention on Processing of Personal Data.
Broker tried to sell details of 650,000 Paddy Power customers for €7,600 (12.08.2014)
Commission decisions on the adequacy of the protection of personal data in third countries
The big deal with personal data (only in German)
Council of Europe Convention on Protection of Individuals with regard to Automatic Processing of Personal Data
(Contribution by Estelle Massé, EDRi member Access, International)