One of Nigeria's more popular online sports betting companies, SureBet247 (surebet247[.]com), has suffered a potential security and data breach which has put thousands of their customers and their systems at risk. The data was found by an anonymous source who tipped off Australian security researcher and Founder of haveibeenpwned, Troy Hunt. Hunt subsequently got in touch with me after several days of failed attempts to reach SureBet247 and alert them that their customers and business could be at risk had failed.
SureBet247 is owned by Chessplus International Ltd, a Nigerian company which specializes in online gambling and casinos co-founded by Sherif Olaniyan and Olasupo Badmus when they apparently met at University in Ilorin in Nigeria.
"The data was sent to me by an anonymous party who wanted the incident to come to light. They’d tried to make contact with Surebet247 but stated it was without success. The data is extensive spanning over 32GB of backups across 6 databases of various online betting assets. Within the databases there’s everything from user records to betting histories, the latter consuming more than 100M rows in one of the databases," said Hunt.
We were able to verify that the database, which includes data and table names such as following (and many more) belongs to SureBet247 given the list of staff e-mail addresses, some data linked to the surebet247[.]com domain and more:
Frustration with SureBet247 support
As Hunt put it, 8 days ago his anonymous contact had tried, with no success, to alert the SureBet247 support team of the potential breach and risk, they received no response. Three days later after that, Hunt also tried to contact the Nigerian betting operators support team and got no response.
It was only on Tuesday 31 December 2019, after I tried various methods of getting hold of the people at SureBet247, that eventually there was a response. However, the frustration continued as the company continued to display a nonchalant attitude to the potential security and data breach they could have suffered.
When I alerted one of the Nigerian betting operator's customer care agents that we need a person that we can get in touch with and explain the breach and the data that was able to be accessed and possibly see how they can secure their systems, the agent answered, without asking for any further information, "We have done that sir. Thank you."
Realising that perhaps the agent doesn't understand the urgency of my communication, I asked if there's a technical support person I can get in touch with at SureBet247, I was referred to the same e-mail address that Hunt had e-mail before. Just like him, I received no answer from their technical support.
At this point, a day later, I contacted the customer care agent again trying to explain how serious this is and at minimum, they need to alert their customers of the potential breach and the risks they face should their data fall into the wrong hands. Furthermore, I explained to the agent that it is better if they alerted their customers rather than they hear of the data breach via media publications, the agent responded by saying:
"That is ours to decide."
At this point it became clear that, given Hunt's and my experience with Nigeria's SureBet247, they were unlikely to notify their customers and were not taking the breach seriously. Further highlighting the problem that many companies don't take data and security breaches seriously. Not only that, one would expect that a company that handles financial transactions would treat a potential security breach alert with urgency and have processes in place on how to deal with such potential breaches once they have been communicated to them.
More betting operators affected?
Initially, we thought the database only related to Nigeria's SureBet247 and some of their related online assets, but upon closer inspection, it appeared that other online sports betting operators could be affected given the names of the databases that were shared with us.
At the time of publishing, none of the online sports betting operators had responded to iAfrikan to indicate whether they had suffered a breach or not. Also important, was for them to at minimum engage to ascertain, if indeed it was their data and systems that were breached.
So far, none of them, i.e. BetAlfa, BetWay, BongoBongo, and TopBet, have responded or communicated to request more information or engage regarding the potential security and data breach.
Apart from the databases, the anonymous source also mentioned that they "have the source code of the following sites:"
Looking at the directory, some of the company whose databases they shared also appear in this list (including SureBet247) of source code. However, one name caught my attention which I initially thought was just randomly named server name - Seavus.
A quick Google Search revealed that Seavus might not just be a randomly named server name but a name of a Swedish software development company that coincidentally develops and sells "iGaming Solutions" to provide what they call "endless possibilities for iGaming and betting operators."
At this stage, and at the time of publishing, it is not clear (given also that Seavus and all the betting operators are yet to respond to communications from iAfrikan) whether we are looking at a compromise and breach of Seavus' software, a breach of a few (or one) betting operators who run what Seavus call a "multi-brand platform", or if this indeed is a data and security breach at each of the betting operators.
"I’m yet to total the user records, but multiple databases contained hundreds of thousands of user records each so the number is substantial. Impacted data includes names, email addresses, dates of birth and betting records. It’s not yet clear whether passwords were also compromised, that’s something I’m hoping to clarify with them," concluded Hunt on the severity of the data breach on SureBet247.
This is a developing story and we will update it once new information becomes available.
- 6 January 2020 - Nigeria's NITDA confirms it is investigating SureBet247
- 7 January 2020 - Nigeria's SureBet247 could be in violation of GDPR
- 9 January 2020 - BtoBet is investigating a security breach affecting its customers in Africa and South America, including SureBet247