Custom Search
Top Stories
Go to Site Index See "Top Stories" main page
NEWS RELEASE · 19th August 2010
Privacy Commissioner of BC
The following is a compilation of three items. The first being a BC government news release on the topic. The second is a direct copy of the letter from the privacy commissioner to the president and CEO of the BC Lottery Corporation, Michael Graydon, and the third is a direct copy of the letter from the Assistant Deputy Minister of the Gaming Policy and Enforcement Branch also to Michael Graydon.

The letter from the ministry seems to indicate playnow.com has been approved for a re-launch. The letter from the privacy commissioner appears to be less certain. We provide the full text content of these letters for you to form your own opinion.


The Information and Privacy Commissioner for British Columbia has accepted the findings of the independent security expert and is satisfied that the cause of the security breach affecting British Columbia Lottery Corporation's gambling website, Playnow.com, has been addressed.

The commissioner notified BCLC President Michael Graydon by letter on August 19, 2010.


Information and Privacy Commissioner, Elizabeth Denham's Letter to BCLC President Michael Graydon

August 19, 2010

Michael Graydon
President and Chief Executive Officer
BC Lottery Corporation
10760 Shellbridge Way
Richmond BC V6X 3H1

Dear Mr Graydon:
Breach Notification—BC Lottery Corporation—OIPC File F10-42797

I write further to my investigation regarding the breach of personal information that was reported to my office by the BC Lottery Corporation (“BCLC”) on July 16, 2010. The breach occurred on July 15, 2010, the same day as the launch of the online gaming casino portion of the PlayNow.com website, when some customers reported to BCLC that they were able to view the personal information of other customers. After investigating these phone calls, BCLC revoked public access to PlayNow.com and the website remains offline.

BCLC provided my office with timely notification of the breach and worked effectively with my office in ensuring that BCLC provided the affected customers with appropriate notification.

BCLC then conducted an internal investigation to identify the cause of the breach. BCLC determined that the root cause was a “data crossover” caused by a configuration setting within the computer server environment that, under certain conditions, resulted in the incorrect assignment of stored customer credentials to a customer who was not the rightful owner of the credentials. The effect was that the “data crossover” caused some customers to be switched to the accounts of other customers.

After my discussions with you and Derek Sturko, Assistant Deputy Minister, Gaming Policy and Enforcement Branch, BCLC agreed that it would not reactivate the PlayNow.com website until an independent review had been conducted. Deloitte & Touche LLP Canada (“Deloitte & Touche”) was hired to confirm the cause of the breach, review the adequacy of the proposed remediation and to conduct a broader review of BCLC’s PlayNow.com site. This independent review was divided into two phases, an immediate review of the cause and remediation and a broader review of BCLC’s PlayNow.com website.

After conducting the first part of its review, Deloitte & Touche issued its August 17, 2010 report, PlayNow.com incident and remediation review, Deloitte & Touche concluded:

Deloitte is confident that the root cause identified by BCLC did cause the data crossover issue and that the remediation plans developed and implemented by BCLC, effectively remediates the root cause. These conclusions are based on our evaluations as at August 7, 2010.

Based on my investigation, including a technical review of the above reports and other information provided by BCLC, I accept that the cause of the July 15, 2010 privacy breach has been identified and that the remediation plans developed and implemented by BCLC will prevent “data crossover” from occurring again.

As you know, during the initial stages of our investigation my office has been focussed on confirming the specific cause of the privacy breach and on determining whether BCLC has taken reasonable measures to ensure that the cause has been corrected.

Gambling websites require the collection, use and disclosure of customer financial information. The nature of these websites exposes personal information to greater risk. My office will continue its investigation of this matter, including the monitoring of Deloitte & Touche’s comprehensive review of BCLC’s PlayNow.com site and governance relating to the management of system risk. My office’s investigation will also consider whether the PlayNow.com network architecture and related components implemented by BCLC ensure that appropriate levels of security are in place for the protection of the personal information of BCLC’s customers.

At the conclusion of our investigation, my office will make a public report.

Sincerely,
ORIGINAL SIGNED BY
Elizabeth Denham
Information and Privacy Commissioner
for British Columbia

Copy: Derek Sturko
Assistant Deputy Minister
Gaming Policy & Enforcement
Ministry of Housing & Social Development


The letter from Derek Sturko, Assistant Deputy Minister of the Gaming Policy and Enforcement Branch to BCLC President Michael Graydon.

August 19,2010

Michael Graydon
President and Chief Executive Officer
BC Lottery Corporation
10760 Shellbridge Way
Richmond BC V6X3H1

Dear Michael Graydon:

Re: Reactivation ofPlavNow.com website

I am writing to confirm that the technical review of the PlayNow.com incident and remediation activities is now complete. This includes: the work undertaken by staff of the BC Lottery Corporation; testing of the issue and the Corporation's remediation efforts by TST, a GLI Company (TST); and Deloitte & Touche LLP Canada's (Deloitte) completion of phase one of its review of the PlayNow.com system.

Deloitte has confirmed it is confident that the root cause for the "data crossover" between account users has been correctly identified and that the remediation plan effectively resolves this issue.

Gaming Policy and Enforcement Branch has provided oversight of all of this activity and worked in cooperation with the Office of the Information and Privacy Commissioner (OlPC).as it

considered the related privacy issues. As a result of all of the reviews and activities to date, including the results of TST's independent testing of the PlayNow.com platform and games, the Branch approves the re-launch of the website and all games fully certified to date.

The Branch will now initiate and oversee post launch activities, again in cooperation with the OIPC. These include:

• An Information Systems Security Audit to verify that the overall PlayNow.com network architecture and all related components have been implemented with appropriate levels of security and stability; and
• Phase two of Deloitte's review concerning IT general controls focussing on policies and procedures (including governance and risk management) used to implement PlayNow.com casino games.

Sincerely,

Derek Sturko
Assistant Deputy Minister

cc: Honourable Rich Coleman
Elizabeth Denham, Information and Privacy Commissioner for BC
Rick Saville
Steve Lefler