Betfair failed to inform over two million customers that their card details were stolen in a cyber-attack 18 months ago. The online bookmaker also neglected to mention the breach in its listings prospectus ahead of a floatation in October.
According to an internal report obtained by the Daily Telegraph, in March and April last year crooks - thought to be from Cambodia - infiltrated the gambling site's systems and stole the payment card details of around 2.3 million customers.
In addition, 3.15 million usernames with encrypted security questions were taken, 2.9 million usernames with addresses and 90,000 usernames with bank account details.
The security breach was not discovered until last May when a server crashed at the company's data centre in Malta.
Betfair informed the UK Serious Organised Crime Agency (Soca), law enforcement agencies in Australia and Germany and the Royal Bank of Scotland, which processes payments for the company.
However, customers were not told, a decision taken on the advice of Soca, says the firm. Nor was the breach mentioned in Betfair's prospectus for its exchange listing, which went ahead in October, just weeks after the internal report was completed.
Betfair now says the data "was unusable for fraudulent activity" and that its systems have been strengthened to guard against future attacks.
Criminals stole customer card data from Betfair just months before float - Telegraph