Personal data of 65,000 FoxyBingo players sold for cash

Like playing online bingo? You might well find that you’re gambling with more than money if thieves wind up with your personal data.

That’s what happened to 65,000 players of online bingo at, which is billed by its owners, Cashcade Ltd., as the U.K.’s top bingo site.

The U.K. Information Commissioner’s Office (ICO) reported on Thursday that a former gambling industry worker who unlawfully obtained and sold personal data relating to over 65,000 online bingo players has been found guilty of committing three offenses under section 55 of the Data Protection Act.

Marc Ben-Ezra, of Finchley, has been ordered to pay Cashcade Limited £1,700 ($2,311.83 USD) and to cover costs of £830.80 ($1,129.80 USD). He’s also been given a three-year conditional discharge.

Mr. Ben-Ezra first tried to sell the customer data in May by sending a series of emails to a number of contacts within the UK gaming industry. He emailed under the pseudonym Malcolm Edwards and included in his communications a sample data set relating to 400 Foxy Bingo customers.

Cashcade, which markets the Foxy Bingo brand and is the data controller for its customer information, was concerned and wanted to know how its customer data had been obtained. The company hired an investigator to conduct a test purchase of the data – which contained over 65,000 Foxy Bingo customers’ personal details – and forked over £1,700 cash ($2,311.83 USD) for it. Cashcade then turned the matter over to the ICO.

The investigation led Cashcade to believe that the test data, which lacked customers’ bank account details, was stolen in 2008 and sold to Mr. Ben-Ezra, who was working for a poker company in Israel at the time. Cashcade hasn’t yet been able to identify the perpetrators of the 2008 breach but has taken remedial steps to prevent a recurrence and is chasing after other thieves.

Mr. Ben-Ezra managed to get his hands on customers’ names, addresses, email addresses, telephone numbers and usernames. He also had in his possession and offered to sell customer information relating to 404 Gala Coral customers from 2008. The data controller – Gala Coral Group – has confirmed that they believe that the information was unlawfully obtained from their management information system.

The ICO’s investigators tracked down Mr. Ben-Ezra by tracing his email address, which was registered to the business address of his father-in-law.

During an interview with investigators, Mr. Ben-Ezra handed over laptops containing the data, admitted to the crimes, and told his interviewers that the practice of buying and selling customer data was widespread during his time working in the gaming industry in Israel. He told officers that he kept the data he had obtained in Israel and, on moving to London, sold it as a way of paying off his gambling debts. So far, investigators have been unable to
recoup the lost money.

The ICO said it hasn’t received complaints from the customers on the lists.

Ben-Ezra’s relatively light punishments are all to the great chagrin of U.K. Information Commissioner Christopher Graham. “We still don’t have a punishment that fits the crime,” he said in the ICO’s release about the incident. “The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.”

It’s good to hear a champion for privacy urging stronger penalties. Not that having a Data Protection Commissioner necessarily means that anybody’s protecting our privacy.

On one hand, the German Data Protection Commissioner for Hamburg, Johannes Caspar, today declared that he’ll soon be fining Facebook over its use of biometric facial recognition technology. According to ZDNet, Caspar is giving up on negotiating because Facebook has ignored a deadline he set for the company to remove the feature. Facebook may be looking at fines up to €300,000 ($420,000 USD).

As far as Ireland goes, I was initially impressed that Max Schrems filed 22 complaints with the Irish Data Protection Commissioner against Facebook for privacy violations in the Europe v. Facebook battle. But since, I’ve learned that the Irish Data Protection Commissioner, responsible for enforcing and monitoring compliance with data protection legislation such as the Data Protection Acts of 1988-2003, has only been responsible for one prosecution to date.

One? Just one? From the office responsible for prosecuting people who send spam email and text messages? Has Ireland only ever had one spammer? Really? Can I move there? Now?

Hopefully, the Europe v. Facebook complaints will give the Irish Data Protection Commissioner a chance to change that record. But it’s still not clear whether having a data protection tzar actually helps.

A measly €300,000 barely seems like a pimple in the road for the well-funded Facebook, never mind a hurdle. If Mr. Schrems’ complaints stick, hopefully the results will be real, fundamental change to how Facebook handles privacy, more than a half-million slap on the wrist.

In the meantime, don’t gamble that your personal information will be safe with online gambling venues. Or at online anything, for that matter.