Jason Ferguson, the man accused of hacking and stealing information from 649,055 Paddy Power customers, says he bought the data through an online message board last December and denies accountability.
He told Bloomberg News that he was also offered a new dataset for €7600 (£6030). “I bought lots of data for marketing but I did not hack anything.”
“Is it ethical? To my knowledge, there’s no precedent. I thought I was acting within the realm of legality,” he added.
The full extent of the 2010 hacking episode became known to Paddy Power in recent months when it took legal action with the assistance of the Ontario Provincial Police to retrieve the compromised dataset.
Following a verification process on a sample of data, they sought and received two court orders to seize Ferguson’s IT assets, recover and delete records, examine his bank accounts, other financial transactions, and question him. The court orders were secured and executed in Canada during the second week of July.
While the historical dataset did not contain customers’ financial information such as credit or debit card details, individual customer’s names, usernames, addresses, email addresses, phone contact numbers, dates of birth and prompted questions and answers were recorded, something Ferguson believes rival firms could have used to win new players and affiliates.
“This data is very very good and a unique marketing opportunity as you can get immediately a ton of players and affiliates,” he told Saumarez Smith, manager of a consultant group that probes suspected hacks, who was acting as a potential buyer and interested party.
“You get exclusive rights as he wants to foster repeat business and long-term relations with people.”
“Once I pay him the cash, he delivers all links,” he later wrote, referring to his contact based in Malta. Paddy Power has yet to comment on whether they will pursue the alleged trader.