It seems like SureBet247's woes in regards to the data breach they have suffered are about to possibly become even more serious. This is because Stefan, a German citizen (also living in Germany) who is also a HAVE I BEEN PWNED subscriber, has confirmed to iAfrikan that the e-mail address and other personal information we found as part of the data dump provided as proof of the data breach by an anonymous source are his details. Furthermore, Stefan (whose surname is known to iAfrikan) also confirmed that he did register with SureBet247 during 2014.
This possibly means that SureBet247 is in contravention of the European Union's General Data Protection Regulation (GDPR) for failing to not only keep a European Citizen's data protected but also failing to disclose the possible breach to the customer as per GDPR guidelines. This comes after the West African country's National Information Technology Development Agency (NITDA) confirmed to iAfrikan on 6 January 2019 that it is investigating SureBet247 for possible breach of the Nigerian Data Protection Regulation.
"[I registered] Probably shortly before 12 Feb 2014. On that date, I got the first email, a newsletter from them. For some reason, I cannot find any actual response e-mail to my registration. Maybe they did not send one. Usually, I do not lose mails," remarked Stefan when confirming to iAfrikan that he did register with SureBet247 as a customer.
Is the European Union's GDPR enforceable in Nigeria?
When it came into effect on 25 May 2018, it was quite clear that the EU data protection laws would potentially have a far-reaching impact beyond Europe. This is because anyone, or any organization, who has customers in the EU or processes the information of an EU citizen, is subject to the GDPR.
This point is also echoed by Ben Wolford, editor of GDPR.EU (an independent publication created by ProtonMail, the Swiss encrypted email service). Wolford emphasized to iAfrikan that every data breach should be treated by all organizations as a serious concern.
"When people entrust their personal information via a website, the company has a duty to keep their data private and secure. That's the premise of most data protection laws, including the EU's General Data Protection Regulation. Among other things, the GDPR requires organisations to protect users' data with strong technical and organisational measures. And if there is a data breach, organisations are required to inform the victims."
"It's worth noting, in this case, that the GDPR applies extraterritorially, meaning that if a company collects data from someone in the European Union, the company is required to comply with the GDPR. However, if a Nigerian company is found to be in violation of the GDPR, it's not entirely clear how or whether EU regulators would enforce the law," added Wolford.
SureBet247 "migration challenges"
It appears, and not necessarily linked to this data breach, that SureBet247 previously experienced challenges when migrating some or all of its systems as Stefan told me. In 2016, the Nigerian betting company appears to have e-mailed all its customers an e-mail with the subject "Migration Challenges."
In the e-mail, the company reassures customers that their "balances" (money) are safe despite experiencing system migration challenges.
"Hello, As a brand which has integrity as its core value, we wish to re-assure you that your account balances, won/pending lost bets as well as deposits on our platform are untouched and intact. Should you notice a difference in your account balance, please send an email to firstname.lastname@example.org stating username/email, old balance, and new balance," reads part of the e-mail that SureBet247 sent to Stefan and other customers on 27 September 2016.
I mention this e-mail, although possibly unrelated to the current breach and having happened before NDPR or GDPR were in effect because in it SureBet247 says it values "integrity." Yet, since around 25 December 2019, the company has refused to engage regarding the data breach they have suffered.
Even worse is that the company did not even once ask iAfrikan or Troy Hunt, a security researcher and founder of HAVE I BEEN PWNED, for a sample or copy of the data dump from the breach to, at minimum, verify whether or not the data (which is dated as last being modified on 25 December 2019) is indeed that of their customers.
Recently on 7 January 2020, SureBet247 has gone on not only to block myself on Twitter for reporting on this breach, but they have blocked iAfrikan, Troy Hunt, and subsequently, any other Twitter user who has mentioned that they were breached. This behavior, and many other subsequent communications between the Nigerian betting company and ourselves, displays a total disregard for customers' information protection and "integrity."
"Disclosure to all customers would be helpful, especially if sensitive information was breached. For example credit card-holder should be given a chance to have their card suspended. (I assume but have not checked that credit card-details of other people were registered and breached)," said Stefan.
- 3 January 2020 - Nigeria's SureBet247 has suffered a potential security breach
- 6 January 2020 - Nigeria's NITDA confirms it is investigating SureBet247
- 9 January 2020 - BtoBet is investigating a security breach affecting its customers in Africa and South America, including SureBet247