Sensitive personal information of over a million online casino players using software provided by a Maltese company was “easily” accessed by an IT security researcher.

Lilith Wittmann, a member of “Europe’s largest hackers’ association”, the Chaos Computer Club, said weaknesses in software provided by St Julian’s company The Mill Adventure allowed her to access a raft of customer-sensitive data.

Player names, e-mail addresses, credit card details, postal addresses, casino IDs and session information were among the data exposed by the vulnerability, Wittmann said in a blog post detailing her findings.

Online casinos Slotmagie.de, Crazybuzzer.de and Merkurbets.de affected by the issue – the latter registered to an address in St Julian’s – “all use casino software from the Maltese company [The Mill Adventure]”, she wrote in her post.

The security expert said the three casinos are operated by various Maltese subsidiaries of German gaming giant Merkur.

Calling the exposed information a “treasure trove of data for researchers but a disaster for users”, Wittmann explained she had been able to retrieve the data from the server “simply” and without needing to be logged in.

She noted “further security gaps” integrating third-party payment processing and know-your-customer (KYC) providers enabled her to retrieve “over 70,000 ID photos, selfies and proof of address”.

“The casino company Merkur AG and its service providers have made almost all of the data stored in their casino systems publicly accessible,” she said.

Wittmann said she informed the German Gambling Authority (GGL) of her discovery, which subsequently issued public warnings to The Mill Adventure and two other companies – Solis Ortus Service Ltd, registered in Sliema, and Cashpoint Malta Ltd – in relation to the security flaw.

All three companies have complied with the warning and conducted required security tests, according to the GGL website.

Wittmann added that while the vulnerability had been fixed after she filed a report, it was unclear whether anyone else had accessed the data.

She said Merkur AG had contacted its users about the issue, informing them she was “trustworthy and therefore the players are not at risk”.

A spokesperson for The Mill Adventure told Times of Malta the incident was an “unprecedented event” and that the company took “immediate action to address the issue”.

“Thanks to our team’s swift response and collaboration with top cybersecurity experts, we are further hardening our defences to ensure even greater protection for the players,” he said.

“Moving forward, we remain fully committed to maintaining the highest security standards so that all player data stays safe and private, as it should.”

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.