Updated with statement from PokerStars (below).
TSG Interactive US Services Limited, which does business as PokerStars in the United States, is sending out notifications to some of its American online players that they may have had their personal information stolen via a hacking of files likely done by the Russia-based "Cl0p" ransomware group.
The hacking involved a vulnerability within the MOVEit file transfer application published by Massachusetts-based Progress Software Group (PSG) that was exposed on May 31. PSG quickly notified its hundreds of corporate clients of the breach, while Cl0p issued a "zero-day" ransomware threat on the dark web regarding the contents of the stolen files.
PokerStars US immediately ceased its use of the MOVEit file-transfer app, as did many other companies. They also quickly launched an investigation. In a letter dated July 20, 2023 that is being sent to affected players in Maine, PokerStars US writes, "On June 2, when we became aware of the vulnerability, we immediately launched an investigation and engaged external experts to assist. We also notified law enforcement and continue to support their investigation. The investigation determined that some files associated with PokerStars may have been copied by an unauthorized third party from May 30 to May 31, 2023 as a result of this vulnerability.
"Please be aware that this incident only affected the MOVEit Transfer application and all of our services
continue to operate as normal." The same letter may also be sent to players in other jurisdictions, though that is not stated in the draft copy. The stolen information likely included players' names, addresses, social-security numbers, and other personal ID.
Filing with Maine Attorney General's office acknowledges breach
In instances where government investigations are ongoing, companies regularly notify investigators and regulators about the specifics of the hacking. PokerStars US forwarded information regarding the MOVEit breach to the Maine Attorney General's office. Many other US states and international jurisdictions may be conducting parallel investigations, and the investigation is far from limited to online-gambling concerns. A recent update from Cybernews states that nearly 400 companies are known to have been impacted by the massive MOVEit breach.
The notification from TSG Interactive US Services Limited to the Maine AG office declares that 110,291 of PokerStars' American players may have been breached. Of those, nine (9) lived in Maine. PokerStars is available online in three US states -- New Jersey, Michigan, and Pennsylvania -- but players in other US states or from other countries can play on PokerStars US if they are physically present in one of those three states.
PokerStars US already pools players from Michigan and New Jersey, necessitating the use of frequent file-transfer services. It is unknown at this time if the 110,291 figure represents only Stars' US players who have used the Michigan or New Jersey platforms, or if it also includes players from Pennsylvania, a standalone state.
PokerStars issues statement regarding hacking
A PokerStars representative also reached out to PokerOrg with some additional information following this article's initial publication. The heart of the statement reads as follows:
We can confirm that PokerStars has been impacted by the global cybersecurity incident involving the MOVEit Transfer application. Upon learning of the vulnerability, we promptly disabled access to the affected application and mobilised external IT forensic experts to thoroughly investigate the incident.
We have determined that some files associated with our PokerStars employees and customers may have been copied by an unauthorised third party as a result of this vulnerability and have notified impacted employees and customers as appropriate.
This incident has affected the MOVEit Transfer application only and all of our services continue to operate as normal.
PokerStars is committed to continuing to create a safe place for people to play and work. Game integrity, security and trust are core to who we are, and the security of data is of the utmost importance to us.
PokerStars to provide Experian IdentityWorks access
According to the lettet drafted by PokerStars parent Flutter to be sent to the impacted Maine players, PokerStars will provide monitoring via Experian, a leading service in tracking financial and credit information.
"Out of an abundance of caution, we are offering a complimentary 24 month membership of Experian’s®
IdentityWorksSM.... We have also included recommendations on how you can protect against possible fraud, identity theft or other financial loss in the Additional Steps Section." The letter will be sent via physical mail to impacted customers.
Featured image source: PokerStars US