Player data leaks: Inside iGaming’s cyber crisis
Player data leaks: Inside iGaming’s cyber crisis With sensitive player data under attack, why isn't the industry able to maintain control and keep its house in order?
In gambling, risk is supposed to be contained within the game. But a growing threat is lurking in the background: the exposure of player data.
A string of breaches – from the Merkur incident in Germany to high-profile criminal cases involving hacked fantasy sports platforms in the United States – has begun to shift regulatory attention. But the industry’s response remains uneven and, in some corners, worryingly complacent.
The underlying problem is structural. iGaming platforms do not merely store usernames and passwords. They hold a dense concentration of personal and financial information: identity documents, payment credentials, behavioural patterns and geolocation data. This makes them unusually attractive targets.
As Cris Kuehl, chief data, information and AI officer at Continent 8 Technologies, puts it: “The threat is substantial – greater than many outside the sector recognise. Our data shows a 400% increase in cyber incidents affecting online and land-based casino operators since February 2025.”
The scale of that rise suggests a shift from opportunistic attacks to systematic targeting. It also underscores a deeper vulnerability: while iGaming has grown rapidly across jurisdictions, its security maturity has not kept pace.
A valuable target
The industry’s exposure stems from the richness of its data. Mark Flores Martin, CEO of AI platform developer XGENIA, describes the appeal: “A breached gaming account gives attackers a complete identity, not just a credit card number.”
In contrast to many sectors, where data sets may be fragmented, iGaming platforms often centralise identity verification (KYC), payments and behavioural analytics in a single environment.
This concentration magnifies the consequences of a breach. Rather than targeting multiple systems, a single successful intrusion can yield a comprehensive digital profile of a user – useful not just for fraud within the platform, but for identity theft and financial crime elsewhere.
Yet the industry’s response is mixed. Larger operators, particularly those with established technology teams, have begun investing heavily in cybersecurity. But beyond this top tier lies a fragmented world of smaller operators, for many of whom security is often treated as a regulatory hurdle rather than a strategic priority.
Flores Martin captures this imbalance: “At the top end, large operators invest properly. But the long tail often treats cybersecurity as a licence checkbox.” The result, he points out, is a patchwork ecosystem in which weak links are both numerous and difficult to monitor.
Speed versus security
Part of the problem is cultural. iGaming is an industry defined by speed – new markets, new products, constant iteration. Security, by contrast, is often perceived as friction. Kuehl identifies this tension as a leadership issue: “Security is often perceived as an obstacle to that pace, resulting in reduced scope or deprioritised controls.” The pressure to “ship now, harden later”, as Flores Martin describes it, creates what he calls “compounding security debt”.
This debt is worsened by structural complexity. Many operators expand through acquisitions or partnerships, resulting in a patchwork of legacy systems, third-party integrations and overlapping responsibilities. In such environments, visibility is limited. No single team has a complete view of the attack surface.
Talent shortages add to the issue. With millions of cyber security roles unfilled globally, operators must compete with fintech and large technology firms for scarce expertise. Not all can offer the salaries or technical challenges that attract top-tier talent.
The result is a dangerous misconception: that compliance leads to a sufficient level of security. Passing an audit may satisfy regulators, but it does not necessarily reflect the resilience of a system under real-world attack. As Kuehl observes: “Passing an audit can create a false sense of confidence.”
Well known vulnerabilities
If iGaming platforms are vulnerable internally, they are even more so externally. The sector relies on an extensive network of third-party suppliers: payment processors, game studios, KYC providers, affiliate platforms and infrastructure partners. Each connection represents a potential entry point.
In Merkur’s case last year, a breach within its platofrm provider The Mill Adventure had exposed a weakness which enabled ethical hacker Lilith Whittman to access up to 800,000 people’s data across Merkur’s online portfolio in Germany.
Kuehl describes third-party risk as “one of the most consistent exposure points within the iGaming sector.” Operators often lack a clear understanding of how APIs – different software systems that are used to communicate and share data with each other – and external systems interact with their own environments.
The vulnerabilities are well known. Vendors are frequently granted excessive access privileges. Credential management is weak. Software components go unpatched. Contracts lack specific security requirements. Flores Martin adds further detail, pointing to “overprivileged API keys”, “insecure KYC document sharing” and “weak webhook validation” as recurring issues.
Regulators see similar patterns. The data protection authority for Western German state North Rhine-Westphalia (LDI NRW) tells iGB they highlight insecure APIs as a common weakness, noting that they may “allow authenticated users to access data of other users” or expose technical information that can be exploited to gain further access. Credential stuffing – using stolen login details from previous breaches – remains another persistent threat.
Mitigation, in theory, is straightforward: restrict access, monitor continuously, enforce least-privilege principles and conduct regular penetration testing. In practice, implementation is inconsistent. As Kuehl notes, managing third-party risk requires “consistent operational discipline rather than complex technical solutions” – a quality not always abundant in fast-moving commercial environments.
Lessons from recent data breaches
The Merkur breach and similar incidents in the United States offer a clear set of lessons, although not necessarily new ones. Credentials remain the weakest link.
“In many cases, attackers do not need to break in; they simply log in,” says Kuehl. Phishing, password reuse and stolen credentials continue to provide easy access. Stronger identity and access management – particularly multi-factor authentication – can significantly reduce this risk, yet adoption is far from universal.
Detection is another critical factor. The severity of a breach is often determined not by its occurrence, but by its duration. Prolonged undetected access allows attackers to escalate privileges, exfiltrate data and entrench themselves within systems.
Both regulators and industry experts emphasise the need for continuous monitoring. LDI NRW stresses that “web-based services need to be continuously evaluated and monitored”, including not only APIs and authentication systems but also underlying frameworks and infrastructure.
Communication, too, remains a weak point. Organisations often treat breaches as public-relations crises rather than operational failures. This instinct to delay or minimise disclosure can backfire, eroding trust among both players and regulators.
“Treating a breach primarily as a public-relations issue typically worsens the situation.”, Kuehl says. Transparency, by contrast, is increasingly expected, and regulators across Europe emphasise the importance of timely notification, both to authorities and to affected individuals.
GDPR regulation: necessary but insufficient
Europe’s regulatory framework, anchored by the General Data Protection Regulation (GDPR), has raised the baseline for data protection. It imposes strict reporting timelines – typically 72 hours – and significant potential penalties. It also requires organisations to implement measures proportionate to the risk.
Yet its effectiveness is uneven. Kuehl notes that GDPR’s impact is “more pronounced in breach response than in breach prevention”. Enforcement can be slow and its deterrent effect diminished.
Fragmentation further complicates matters. iGaming operators often operate across multiple jurisdictions, each with its own regulatory nuances. This creates complexity and, at times, inconsistency.
The UK’s Information Commissioner’s Office (ICO) acknowledges the broader trend: “Cyber attacks are on the rise across all sectors and, while they can be very sophisticated, we find that many organisations are still neglecting the very foundations of cyber security,” a spokesperson tells iGB. The ICO emphasises basic controls– strong passwords, multi-factor authentication and vulnerability management – as essential safeguards.
Spain’s data protection authority takes a similar stance, providing extensive guidance on breach notification and compliance. Its framework underscores that GDPR obligations apply uniformly across sectors, including gambling, and that timely communication with both regulators and affected individuals is central to mitigating harm.
Still, a gap remains. Unlike financial services or healthcare, iGaming lacks widely adopted, sector-specific cybersecurity standards. Flores Martin argues that this absence allows underinvestment to persist: “Regulators mandate ‘adequate security’ without defining what that actually means technically.”
Intelligent player data attacks on the rise
If the current threat landscape is challenging, the next phase may be more so. Advances in artificial intelligence are reshaping both attack and defence.
Flores Martin points to the emergence of “agentic AI attacks”, in which autonomous systems identify vulnerabilities and exploit them without human guidance. Such tools dramatically reduce the cost and time required to conduct sophisticated attacks.
Simon Marchand, an independent fraud and identity expert, warns that these technologies enable “industrial-level attacks, with stolen credentials being used potentially thousands of times in a very short period of time in patterns that can avoid traditional antifraud platforms”.
Defence, therefore, must evolve in parallel. Behavioural analytics – monitoring how users interact with a platform – can help detect anomalies even when credentials are valid. As Flores Martin notes, “attackers don’t play like the real person”.
Kuehl highlights the role of AI in reducing noise and prioritising threats, while automation can accelerate incident response. But all three experts caution that technology is not a magic bullet in itself. Its effectiveness depends on data quality, governance and integration.
“AI does not compensate for weak foundational data practices; it amplifies them,” Kuehl observes.
Trust, transparency and the player
Ultimately, the impact of data breaches extends beyond regulatory fines or operational disruption. It strikes at the core of the industry’s relationship with its customers: trust.
For players, the recommended safeguards are essential. Unique passwords, multi-factor authentication and vigilance against phishing attempts remain the first line of defence. Marchand adds the importance of monitoring credit files and responding quickly to suspicious activity.
For operators transparency is no longer optional. Both regulators and experts emphasise the need for clear and timely communication.
The ICO advises individuals to “check regularly for updates from the organisation and follow their advice if they confirm that an individual’s personal information has been impacted”. LDI NRW goes further, recommending that companies communicate breaches even when not strictly required, enabling users to understand the risks and take protective measures.
Marchand stresses that “hiding it will only hurt trust once it becomes public information”. Providing support – such as password resets, fraud monitoring and accessible customer service – can help mitigate reputational damage.
Future depends on player protection
The iGaming sector is not alone in facing cybersecurity challenges. But its combination of valuable data, rapid growth and fragmented structure makes it particularly exposed.
The direction of travel is clear. Regulatory scrutiny is increasing. New frameworks, such as the EU’s NIS2 Directive – a legislation designed to strengthen cybersecurity across the EU – will impose stricter requirements. Technological defences are advancing, even as threats become more sophisticated.
But as long as cybersecurity in some parts of the sector is treated as a compliance exercise rather than a core operational risk, vulnerabilities will persist.
The industry’s future growth depends not only on attracting players, but equally on protecting them. In gambling, the odds are meant to be calculated. When it comes to iGaming player data security – as it stands – they remain uncertain.
https://igamingbusiness.com/tech-innovation/player-data-leaks-inside-igamings-cyber-crisis/