SBC News Voice of the Sports Betting Industry
The US Securities and Exchange Commission (SEC) has been informed by Nueva Codere of a cyberattack to its subsidiary Codere Online, resulting in losses of €744,000.
The admission to the SEC outlined ‘weaknesses in internal controls’, which allowed hackers to access Codere Online’s email systems.
The cyberattack saw hackers pose as ‘Codere Online agents’, who sent ‘manipulated invoices’ to various suppliers of the company demanding urgent payment.
Codere deems the cyberattack to be ‘an isolated event’, in which “the account deposits of the users or their passwords were not put at risk, nor were the confidential data of their users accessed.”
In addition, banks involved in processing nefarious transactions were made aware of the attack as Codere begins to retrieve its losses.
The SEC filing saw Codere admit to “internal control failings handling financial information data due to an ineffective design and weaknesses of its payment system” and to an “inability of cybersecurity systems to prevent the attack.
“Codere Online did not maintain effective controls over its information processing systems, as a result of the existence of certain material weaknesses in internal control.”
Having reviewed internal controls, Codere underlined that it found no evidence of any involvement of a company employee in helping the cyberattack, which was branded as “technologically sophisticated”.
Codere ended its statement by reassuring the SEC that it had begun processes to improve its IT security and internal system controls.
The cyberattack is the second time Codere has had to admit a security breach to a market’s authority. In 2020, Spain’s Data Information Agency (AEPD) was informed of a server hack at Codere, which had leaked sensitive customer data related to encrypted password, national IDs, residences, IP locations and contact information (customer addresses, postcodes, emails and telephone numbers).
The previous incident saw Codere inform 500,000 customers of potential data breaches related to their personal information, followed by an AEPD assisted audit that revealed that the server leak had impacted 64,000 customers.
