Kyanite Blue
Industry 6 min read

Why iGaming Operators Are Prime Targets for Cyber Attacks

Max, Technical Director·3 March 2026

The Bullseye on iGaming

The global online gambling market processed an estimated $95.3 billion in 2024, and every dollar flows through digital infrastructure that attackers can target. iGaming platforms combine three things cyber criminals value most: high-volume financial transactions, rich personal identity data, and an always-online operational requirement that creates enormous pressure to resolve incidents quickly. Akamai's 2024 gaming security report documented 12.3 billion credential stuffing attacks against gaming platforms in a single year. DDoS attacks against gambling operators spike predictably around major sporting events, with Cloudflare recording a 105% increase in attacks targeting betting platforms during the 2024 European Championship.

The Fast Track Breach and Its Aftermath

In October 2023, Fast Track — the player engagement platform used by dozens of MGA-licensed operators — confirmed a data breach that exposed player data across multiple casino brands. The breach demonstrated a systemic risk unique to iGaming: operators share infrastructure through platform providers, payment processors, and game aggregators, meaning a single supplier breach can cascade across the industry. Affected operators faced simultaneous regulatory scrutiny from the MGA, GDPR investigations, and player trust erosion. Several operators reported measurable drops in first-time deposits in the weeks following disclosure. The incident forced a sector-wide reassessment of third-party risk management practices.

MGA Cybersecurity Requirements

The Malta Gaming Authority's Player Protection Directive (PPD 2018) and subsequent guidelines impose specific technical obligations on licensed operators. Article 8 requires licensees to implement "adequate information security measures" including encryption, access controls, and incident response capabilities. The MGA's 2024 cybersecurity guidance explicitly references ISO 27001 as the benchmark framework and requires operators to conduct annual penetration testing. Critically, the MGA mandates 72-hour breach notification — aligned with GDPR but enforced independently, meaning a single breach triggers parallel regulatory processes. Operators who fail to demonstrate adequate controls risk suspension or revocation of their licence, which for most B2C operators means the immediate end of their business.

  • ISO 27001 alignment required by MGA guidance
  • Annual penetration testing mandatory
  • 72-hour breach notification to MGA (parallel to GDPR)
  • Encryption at rest and in transit for all player data
  • Documented incident response plan reviewed annually

Protecting Player Data at the Exfiltration Layer

Most iGaming security stacks focus on perimeter defence: firewalls, WAFs, and DDoS mitigation. These are necessary but insufficient. The Fast Track breach demonstrated that attackers who gain access through a trusted third party are already inside the perimeter. The missing layer is anti data exfiltration — technology that monitors all outbound data flows from every endpoint and blocks unauthorised transfers regardless of how the attacker gained access. For operators holding millions of player records including identity documents, payment details, and behavioural data, the ability to guarantee that stolen credentials cannot lead to stolen data is the difference between an incident and a licence-threatening catastrophe.

Frequently Asked Questions

What data do iGaming operators hold about players?

Licensed operators hold extensive player data including full legal names, addresses, dates of birth, identity document scans (passport, driving licence), payment card details, bank account information, transaction histories, and detailed behavioural data on betting patterns. KYC and AML requirements mean operators cannot minimise this data collection.

Can an MGA operator lose their licence over a cyber attack?

Yes. The MGA can suspend or revoke a licence if an operator fails to demonstrate adequate information security measures. In practice, the MGA is more likely to impose conditions, fines, or mandatory remediation plans, but repeated failures or a catastrophic breach with evidence of negligence can lead to licence revocation.

How often are iGaming platforms attacked?

Akamai documented 12.3 billion credential stuffing attacks against gaming platforms in 2024 alone. DDoS attacks spike around major sporting events, with Cloudflare recording a 105% increase during the 2024 European Championship. The sector is among the most persistently targeted globally.

igamingmgagamblingplayer datacompliance

Related articles

Threat Intelligence

Why Data Exfiltration — Not Encryption — Is the Real Ransomware Threat

93% of ransomware attacks now exfiltrate data before deploying encryption. Backups protect against encryption — but nothing in most security stacks prevents the data theft that enables double extortion.

Guides

Building a Cybersecurity Stack for SMBs: The 5-Layer Approach

Most SMBs either have no security stack or a patchwork of disconnected tools. Here is the 5-layer approach that gives you enterprise-grade protection without enterprise complexity.

Compliance

DORA Compliance for UK Financial Services: A Practical Guide

The Digital Operational Resilience Act (DORA) applies from January 2025 and affects every UK financial services firm with EU exposure. Here is what it requires and how to prepare.

Want to discuss this with our team?

Book a free 20-minute call with David or Max.

Book a call
Back to all posts