In the gambling sector, risk is typically confined to the game itself. However, an alarming trend is emerging: the exposure of player data is becoming a significant threat. Recent breaches, such as the incident involving Merkur in Germany and various criminal cases tied to hacked fantasy sports platforms in the United States, have started drawing regulatory scrutiny. Yet, the industry's reaction has been inconsistent, with some areas showing troubling complacency.
The core issue is structural. iGaming platforms go beyond storing just usernames and passwords; they harbor an extensive range of personal and financial data, including identity documents, payment details, behavioral patterns, and geolocation information. This makes these platforms particularly attractive targets for cybercriminals.
Cris Kuehl, chief data, information and AI officer at Continent 8 Technologies, emphasizes the severity of the situation: “The threat is substantial – greater than many outside the sector recognize. Our data shows a 400% increase in cyber incidents affecting online and land-based casino operators since February 2025.” This dramatic rise indicates a shift away from opportunistic attacks to more systematic targeting and points to a troubling vulnerability: while the iGaming industry has seen rapid growth, its security capabilities have not progressed at the same rate.
The industry's allure lies in the wealth of data it collects. Mark Flores Martin, CEO of AI platform developer XGENIA, describes how compromised gaming accounts can provide attackers access to complete identities, not just credit card details. Unlike many sectors, where data may be dispersed, iGaming platforms often centralize identity verification (KYC), payment processing, and behavioral analytics, amplifying the fallout from any breach. A single successful attack can create a comprehensive digital profile of a user, which can lead not only to fraud within the platform but also to identity theft elsewhere.
Larger operators, especially those with established technology teams, are beginning to make significant investments in cybersecurity. However, smaller operators often see security as merely a regulatory hurdle rather than a strategic necessity. Flores Martin notes this disparity: “At the top end, large operators invest properly. But the long tail often treats cybersecurity as a license checkbox.” This results in an industry characterized by weak links that are both numerous and challenging to monitor.
Cultural factors contribute to the problem. The iGaming industry is known for its rapid pace, constantly launching new products and entering new markets. Security, however, is frequently viewed as an impediment. According to Kuehl, security often gets deprioritized as leaders steer their focus toward speed: “Security is often perceived as an obstacle to that pace, resulting in reduced scope or deprioritized controls.” The tendency to prioritize getting products to market over fortifying security creates what Flores Martin describes as “compounding security debt.”
This debt is compounded by structural complexities. Many operators expand through acquisitions or partnerships, resulting in a convoluted mix of legacy systems, third-party integrations, and overlapping responsibilities. This fragmentation limits visibility, leaving no single team with a complete understanding of the attack surface.
Talent shortages further exacerbate the issue. With millions of cybersecurity positions unfilled worldwide, iGaming operators find themselves competing with fintech and major tech firms for skilled professionals. Many cannot offer the salaries or challenges needed to attract top-tier talent.
Consequently, a dangerous misconception exists: that compliance equates to sufficient security. Meeting audit requirements may please regulators but does not guarantee resilience against real-world attacks. Kuehl warns, “Passing an audit can create a false sense of confidence.”
Externally, the vulnerabilities of iGaming platforms are even more pronounced. The sector heavily relies on an extensive network of third-party suppliers, such as payment processors, game studios, KYC providers, affiliate platforms, and infrastructure partners. Each link represents a potential vulnerability.
Last year, the Merkur breach highlighted this risk, where a vulnerability in the platform provider The Mill Adventure allowed ethical hacker Lilith Whittman to access data for up to 800,000 individuals across Merkur's online portfolio in Germany.
Kuehl describes third-party risk as “one of the most consistent exposure points within the iGaming sector.” Many operators lack a clear understanding of how APIs, which are used for software communication and data sharing, interact with their systems. Common vulnerabilities include excessive access privileges for vendors, weak credential management, unpatched software components, and contracts lacking explicit security requirements. Flores Martin identifies issues such as “overprivileged API keys,” “insecure KYC document sharing,” and “weak webhook validation” as common flaws.
Regulatory bodies also recognize similar patterns. The data protection authority in the German state of North Rhine-Westphalia (LDI NRW) has flagged insecure APIs as a frequent vulnerability, noting they may allow authenticated users to access other users' data or unveil exploitable technical information. Credential stuffing—using stolen login details from past breaches—remains a persistent threat.
In theory, mitigation strategies are straightforward: restrict access, monitor continuously, enforce least-privilege principles, and conduct regular penetration tests. However, implementation is often inconsistent. Kuehl states that managing third-party risk calls for “consistent operational discipline rather than complex technical solutions,” which can be lacking in fast-paced commercial environments.
Recent data breaches, such as the one at Merkur, serve as a reminder of important lessons, though not necessarily new ones. Credential vulnerabilities continue to be a major weakness. Kuehl points out, “In many cases, attackers do not need to break in; they simply log in.” Phishing, password reuse, and stolen credentials remain major entry points. Enhanced identity and access management, particularly through multi-factor authentication, can significantly mitigate this risk, yet such measures are not universally adopted.
The duration of a breach often determines its severity. Prolonged unnoticed access allows attackers to escalate privileges, steal data, and embed themselves in systems. Continuous monitoring is essential. LDI NRW emphasizes that “web-based services need to be continuously evaluated and monitored,” covering not only APIs and authentication systems but also the foundational frameworks and infrastructure.
Organizations often mismanage breach communication, treating incidents as public relations challenges rather than operational failures. This tendency to delay or minimize disclosure can damage trust with players and regulators. Kuehl advises against this approach, stating, “Treating a breach primarily as a public-relations issue typically worsens the situation.” Transparency is increasingly important, with regulators across Europe stressing timely notifications to authorities and affected individuals.
The General Data Protection Regulation (GDPR) has established a baseline for data protection in Europe, setting strict reporting timelines—usually 72 hours—and imposing heavy penalties. While the regulation urges organizations to adopt measures commensurate with risk, its effectiveness is variable. Kuehl observes that GDPR's influence is “more pronounced in breach response than in breach prevention.” Enforcement is often slow, undermining its deterrent potential.
The fragmentation of regulatory environments further complicates matters. iGaming operators frequently navigate multiple jurisdictions, each with distinct regulatory requirements, creating inconsistencies. The UK’s Information Commissioner’s Office (ICO) notes that while cyber attacks are escalating across all sectors, many organizations still neglect fundamental cybersecurity principles. Strong passwords, multi-factor authentication, and vulnerability management are essential safeguards.
Similarly, Spain’s data protection authority has provided extensive guidance on breach notification and compliance, emphasizing that GDPR obligations are uniform across all sectors, including gambling. Timely communication with both regulators and affected individuals is crucial to mitigating harm.
Nonetheless, a significant gap remains. Unlike sectors such as finance or healthcare, iGaming lacks well-established cybersecurity standards. Flores Martin argues that this void allows for persistent underinvestment: “Regulators mandate ‘adequate security’ without defining what that actually means technically.”
Looking ahead, the evolving threat landscape may present even greater challenges. The advent of artificial intelligence is transforming both attack and defense strategies. Flores Martin points out the rise of “agentic AI attacks,” where autonomous systems autonomously exploit vulnerabilities without human input, significantly lowering the time and cost of sophisticated attacks.
Simon Marchand, an independent fraud and identity expert, cautions that such technologies enable “industrial-level attacks, with stolen credentials potentially being reused thousands of times rapidly, allowing attackers to evade traditional antifraud systems.” Thus, defensive measures must advance concurrently. Behavioral analytics can help spot unusual patterns when credentials are valid, with Flores Martin asserting, “attackers don’t play like the real person.”
Kuehl highlights how AI can diminish noise and prioritize threats, while automation accelerates response times. However, all three experts stress that technology alone cannot solve the problem; its success hinges on data quality, governance, and integration. Kuehl remarks, “AI does not compensate for weak foundational data practices; it amplifies them.”
The ramifications of data breaches go beyond regulatory penalties or operational setbacks; they strike at the foundation of trust within the industry. For players, it is vital to employ strong safeguards such as unique passwords, multi-factor authentication, and vigilance against phishing attempts. Marchand underscores the importance of monitoring credit files and responding quickly to any suspicious activity.
Operators must embrace transparency as an essential principle. Both regulators and industry experts emphasize the importance of prompt and clear communication following a breach. The ICO advises individuals to “check regularly for updates from the organization and follow their advice if they confirm personal information has been impacted.” LDI NRW advocates for proactive communication about breaches, even when not legally required, to allow users to understand and mitigate risks.
As Marchand notes, “hiding it will only hurt trust once it becomes public information.” Providing support, such as password resets and fraud monitoring, coupled with accessible customer service, can help mitigate any reputational harm stemming from breaches.
The iGaming industry is not isolated in grappling with cybersecurity threats, but its mix of valuable data, rapid growth, and fragmented structures makes it particularly vulnerable. Regulatory scrutiny is on the rise, with new frameworks like the EU’s NIS2 Directive aimed at bolstering cybersecurity across the EU and imposing stricter requirements. While technological defenses are evolving, threats are becoming increasingly sophisticated.
As long as the approach to cybersecurity remains a mere compliance exercise rather than a core operational risk, vulnerabilities will continue to exist. The industry’s ability to grow in the future hinges not only on attracting players but also on their protection. In the realm of iGaming data security, uncertainty continues to loom.
