You might not believe it, but in the gambling industry, risks should be confined within the game. However, a bigger storm is brewing in the dark — the continuous leakage of player data. From Germany's Merkur incident to multiple fantasy sports platforms in the US being hacked, a series of security breaches has already unsettled regulatory bodies. The problem is that the industry's response is still uneven, with some areas even appearing somewhat "resigned".
Behind this, there is actually a structural issue. iGaming platforms store not just usernames and passwords, but also identity documents, payment information, behavioral tracks, and geographical locations — all highly sensitive data concentrated in one place. It's like stacking a pile of gold in a single warehouse, hard not to attract attention. PASA's official website also found that these platforms have a much larger attack surface than most industries.
Data too "rich", attackers naturally move by the wind
Why do iGaming platforms attract hackers? Mark Flores Martin, CEO of AI platform developer XGENIA, hits the nail on the head: a breached game account gives attackers a "complete identity", not just a credit card number. Many traditional industries have dispersed data, but iGaming platforms often centralize identity verification (KYC), payment records, and behavioral analysis all together.
This leads to a result: a successful intrusion could access a user's entire digital profile, not only causing trouble on the platform but also being used for other activities, such as identity theft and financial fraud. Cris Kuehl, Chief Data Officer at Continent 8 Technologies, revealed a chilling figure: since February 2025, cyber-attacks against online and offline casino operators have surged by 400%. This indicates that attackers have moved from "trying their luck" to "targeted demolition".
"Speed" first, safety sidelined
The iGaming industry is all about "speed" — new markets, new products, continuous iteration. But safety, unfortunately, is the "drag". Mark Flores Martin calls this "launch first, secure later", resulting in an ever-growing "security debt". Cris Kuehl also said that for many decision-makers, security is just a stumbling block that slows things down, often resulting in slashed budgets and lowered priorities.
What's more troublesome is that many operators grow through acquisitions and collaborations, with a mix of old and new systems and a tangled web of third-party interfaces. In the end, they can't even figure out how many "doors" they have open. Coupled with a global shortage of cybersecurity talent, small operators can hardly compete with fintech giants and big companies, and keeping compliant is already a blessing. But here lies the problem: compliance does not equal security. Passing an audit doesn't mean it can withstand real attacks. Kuehl bluntly stated that passing audits sometimes gives a false sense of "I'm already safe", which is actually just digging one's own grave.
Third parties, an indefensible "back door"
If internal issues can still be managed, external third-party vendors are like a sieve. Payment channels, game studios, KYC service providers, promotion platforms... Each additional partner is another potential breach. Last year's Merkur incident is a typical example, where attackers tore through its platform service provider The Mill Adventure, eventually exposing data of up to 800,000 people.
Cris Kuehl calls third-party risk "one of the most persistent exposure points in the iGaming industry". Many operators don't even know how their APIs interact with external systems, with common vulnerabilities including: overly generous API permissions, poor key management, unpatched software, and contracts that don't specify security requirements. Mark Flores Martin also added several recurring issues: "overly authorized API keys", "insecure KYC file transfers", "webhook verification being virtually non-existent".
The data protection authority of North Rhine-Westphalia (LDI NRW) also confirmed to industry media iGB that they repeatedly see API security issues in their regulation, such as "allowing authenticated users to view other people's data" or exposing technical details to attackers. Solving these problems is theoretically not complex: limit permissions, continuous monitoring, minimum authorization, regular penetration testing. But the issue is, in a business environment that prioritizes speed, very few can actually achieve this.
Lessons are there, but few are willing to copy the homework
The Merkur incident and those cases with fantasy sports platforms in the US have already laid out the issues. First, account passwords are still the weakest link. Cris Kuehl put it bluntly: "Many times, attackers don't need to 'attack' to get in, they just 'log' in." Phishing, password reuse, credential stuffing — these old tricks still work wonders. Multi-factor authentication (MFA) could block most issues, but many platforms simply don't promote it.
Secondly, discovering late is more deadly than being breached. Many attacks are not a one-time deal but involve lurking for months to slowly mine data. Thus, continuous monitoring is crucial, and LDI NRW also emphasized, "web-based services must be continuously evaluated and monitored", not just the APIs and authentication systems, but also the underlying frameworks and infrastructure.
Lastly, how to communicate after an incident is also an art. Some companies start by thinking about how to handle public relations and suppress the issue, which only makes things worse. Kuehl said, treating leaks as a PR crisis only exacerbates the situation. Now, whether it's regulators or players, transparency is increasingly valued. Timely reporting and providing support are key to regaining trust.
GDPR is the baseline, but not a talisman
Europe's General Data Protection Regulation (GDPR) indeed raised the standard for data protection significantly, specifying strict reporting deadlines and imposing hefty fines. But the problem is, its effect is more evident in "post-event handling" rather than "pre-event prevention". Cris Kuehl pointed out that GDPR's role in reporting violations is more apparent than in preventing them.
Additionally, regulatory fragmentation is also a challenge. iGaming operators often operate in multiple countries, each with different requirements, making compliance costs frighteningly high. The UK's Information Commissioner's Office (ICO) told iGB that although cyber-attack methods are becoming more advanced, they found many institutions still fail to implement even the most basic security measures, such as strong passwords, multi-factor authentication, and vulnerability management.
Spain's data protection authority echoed similar sentiments, emphasizing that GDPR obligations apply to all industries, including gambling. Timely reporting and communication are key to mitigating losses. However, the problem is that the iGaming industry, unlike finance or healthcare, lacks a set of recognized, industry-specific security standards. Mark Flores Martin succinctly pointed out the issue: "Regulations only require 'sufficient security', but no one can clearly define what 'sufficient' means."
With AI, both offense and defense must change
If current threats are already headache-inducing, the upcoming scenario might be even more thrilling. Artificial intelligence is reshaping both offense and defense. Mark Flores Martin mentioned a type of "agentic AI attack", which allows AI to find vulnerabilities and act on its own, without human supervision. Once such tools become widespread, the threshold for attacks will drop significantly.
Independent fraud and identity expert Simon Marchand also warned that these technologies could turn attacks into an "industrial assembly line", with stolen accounts being misused thousands of times in a very short period, overwhelming traditional anti-fraud platforms. Thus, defense also needs to be upgraded, such as using behavioral analysis — observing how users operate, how the mouse moves, what habits they have — to determine whether the login is genuinely the user. Flores Martin said: "Attackers can never completely mimic a person's real gameplay."
AI can also help on the defense side, such as assisting security teams in filtering massive alerts and prioritizing high-threat events. But Cris Kuehl reminded a very practical point: AI cannot compensate for poor data foundations; it only magnifies problems. If data quality, governance, and integration can't keep up, even the strongest AI is useless.
In the end, it's all about trust
Ultimately, data breaches not only result in fines and operational disruptions, but they damage the most fundamental thing — players' trust in the industry. For ordinary players, the options are limited to using unique passwords, enabling multi-factor authentication, and avoiding phishing. Simon Marchand also advised keeping a close eye on one's credit records and reacting immediately if something seems off.
For operators, transparency is no longer an "extra credit" but a "mandatory question". ICO advises users to regularly check if platforms have issued security notifications, and LDI NRW even encourages companies to proactively report even when regulations don't mandate it, allowing users to assess their own risks. Simon Marchand put it more directly: "Hiding and hoarding, waiting for the day when things blow up, trust will be long gone." Instead, it's better to proactively provide support, such as resetting passwords, initiating fraud monitoring, and increasing customer service staff, to salvage some reputation.
Protecting players is the real "bet on the future"
The iGaming industry is certainly not the only one facing cybersecurity challenges. But holding the most valuable data, growing the fastest, and being the most disorganized, it is also the easiest target. Regulatory screws are tightening, and the EU's NIS2 directive has added another layer of "tightening spell". Technology is also advancing, even as attack methods upgrade.
But as long as there are still people in the industry who treat security as "compliance" rather than "life and death", vulnerabilities will always exist. PASA's official website has always emphasized that the future of the industry relies not just on attracting players but on being able to keep them. In gambling, the odds can be calculated, but in the matter of iGaming data security, the current odds are not so good to say.
————
This article is from "PASA-Global iGaming Leaders", a gambling industry news channel: https://t.me/pasa_news
Original deep channel for gambling: https://t.me/gamblingdeep
Free data report: @pasa_research
PASA Matrix: @pasa002_bot
PASA official website: https://www.pasa.news
