For sale: Personal details of millions of Ladbrokes gamblers, offered to the MoS by a mysterious Australian
Denial: Dinitha Subasinghe at his home in Melbourne
The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to The Mail on Sunday.
The huge data theft is now at the centre of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad.
Last night we alerted Ladbrokes to the damaging security breach and handed the customer files to the Information Commissioner's Office (ICO), Britain's data watchdog, which immediately began to investigate.
The records include customers' home addresses, details of their gambling history, customer account numbers, dates of birth, phone numbers and email addresses.
Ladbrokes last night also called in the police and began contacting customers to reassure them that their credit card details, passwords and other financial information were safe.
The database was offered for sale by a mysterious Australian. He claimed to be a computer security expert who had worked at Ladbrokes in Britain.
During protracted negotiations via email and in one phone call, the man, who gave his name only as 'Daniel', claimed to represent a company based in Melbourne, Australia.
The company, DSS Enterprises, is run by Dinitha Subasinghe, a Sri Lankan-born IT expert.
Last night, Mr Subasinghe denied any involvement in the data theft. He designs websites and also runs a wedding planning business with his British-born girlfriend Charlene King.
Australia's companies house describes Mr Subasinghe as a 'sole trader'. His recent work has involved designing websites for estate agents in Melbourne, but he also lists Ladbrokes and the UK Ministry of Defence as clients.
He said yesterday: 'I have no access to any Ladbrokes database or any other information. I provided analytical services to them for 18 months during 2007 and 2008.'
Mr Subasinghe said he had been on holiday in the UK in November and still kept in touch with a couple of Ladbrokes staff on a social basis, and added: 'Unless my name, my signature, my fingerprint is on anything, it has nothing to do with me.
'I had a call from a senior person at Ladbrokes this morning. I did not take the call. I don't know what they are ringing me about.'
The Mail on Sunday received an email from 'Daniel' yesterday saying that he was ending the negotiations and warning us against passing his details to the authorities.
David Smith, the ICO Deputy Commissioner, said last night: 'The ICO takes breaches of individuals' privacy very seriously. Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure.
'We are grateful to The Mail on Sunday for bringing this security breach to our attention and will be contacting Ladbrokes to establish how it occurred and to find out what steps it will be taking to ensure that such a breach cannot happen again.
'We are particularly concerned that up to 4.5 million customer records containing personal information are allegedly for sale. Stealing personal data and selling it is a criminal offence. We will investigate whether an offence has been committed.
'We are determined to stamp out the unlawful trade in personal information and have recently urged the Government to introduce a custodial sentence for people convicted of buying and selling personal details.'
The Mail on Sunday was first approached by 'Daniel' - using the email address 'theinsidescoopuk' - earlier this month. He claimed to have worked as an IT security consultant for Ladbrokes two years ago. He said he had been passed the data by a 'relatively junior' employee, who was trying to sell it on.
'Daniel' claimed that his initial intention was to tip off Ladbrokes about the security breach, but he then decided it would be better to contact the media.
Last night Ciaran O'Brien, head of PR at Ladbrokes, said: 'We have been informed that a person connected to our organisation has offered certain details from a customer database to The Mail on Sunday.
'This is a criminal act and we are working with the police, the ICO and the newspaper to identify and apprehend the culprit.
'We are in the process of contacting customers to apologise for this breach in security and to reassure them that everything is being done to protect their personal information.
'Importantly, we do not believe that customer accounts or banking data can be accessed.'