Cyber Incident Victim: Full Tilt Poker

On May 30 and May 31 of 2023, TSG Interactive US Services Limited, which operates under the name PokerStars, experienced an external system breach. The incident was identified as a hacking event that resulted in unauthorized access to the company's systems. The breach was discovered by the organization on June 2, 2023, three days after the initial intrusion period concluded. The investigation into the event determined that the attacker or attackers successfully acquired personal information belonging to a significant number of individuals. The total number of persons affected by this data security incident was 110,291, which included individuals from various jurisdictions. Among this group, nine were identified as residents of the state of Maine.

The specific category of information acquired during the breach was confirmed to be names or other personal identifiers in combination with Social Security Numbers. This combination of data points is particularly sensitive as it can be used for identity theft and financial fraud. The compromise of Social Security Numbers necessitates a high level of caution and response due to the permanent nature of this identifier and the difficulty individuals face in recovering from its misuse. The breach did not extend to offering identity theft protection services to the affected individuals, as the company opted not to provide such a remedy.

In accordance with legal requirements, because the number of affected Maine residents exceeded 1,000 individuals when aggregated with other breaches, the consumer reporting agencies were notified of the event. This step is part of standard protocol to alert these agencies to the potential for an increase in fraudulent activity attempts. For the individuals themselves, the company planned a written notification process. The date set for notifying consumers was July 20, 2023, which was nearly seven weeks after the discovery of the breach. This timeline allowed the company to complete its investigation and prepare the necessary communication materials.

The entity responsible for the breach notification to the authorities was represented by legal counsel. Will Daugherty, a Partner at the law firm Norton Rose Fulbright, acted as the attorney for TSG Interactive US Services Limited. He served as the official submitter of the breach details to the Office of the Maine Attorney General, providing the required information about the scope and nature of the incident. The firm's contact information, including telephone number and email address, was supplied to facilitate any necessary follow-up communication from the state agency. The physical address of the affected entity was listed as 251 Little Falls Drive in Wilmington, Delaware, with a zip code of 19808, classifying it as an Other Commercial organization.

The submitted documentation included a copy of the notice that was to be sent to the affected Maine residents, identified by the filename EXPERIAN_Job42179d20_TSGPlatforms(Ireland)Limited(Flutter)_L01_SAS_1.pdf. This document would have contained the specific details communicated to the individuals whose data was compromised, explaining the nature of the breach and the information that was exposed. There was no record of any previous breach notifications submitted by this entity within the twelve months preceding this incident, indicating this was a standalone event for the company during that timeframe. The response was managed as a discrete incident with a defined period of occurrence and a subsequent discovery and notification process.