Fast Track CRM Breach: Questions Affected Operators Are Asking
The Fast Track CRM breach of October 2025 raised urgent questions for affected and non-affected operators alike. These are the practical questions with direct answers — for operators trying to determine their obligations and next steps.
Fast Track served 100+ MGA-licensed operators at the time of breach.
Immediate Response Questions
- Q: How do I know if my operator was affected? A: Contact Fast Track directly for confirmation. If you used their CRM during the affected period, assume your player data may have been exposed pending confirmation.
- Q: What is the GDPR notification deadline? A: 72 hours from when you knew or should have known. If Fast Track notified you of the breach, that clock started then.
- Q: Do we need to notify our players? A: If the breach likely results in high risk to player rights and freedoms — and KYC document + financial data exposure almost certainly meets this threshold — yes.
Longer-Term Questions
- Q: Can we claim against Fast Track? A: Potentially — subject to your contract terms and evidence of damage. Seek legal advice. The DPA liability clauses in your contract are the starting point.
- Q: How do we prevent this with our other vendors? A: Panorays monitors all vendors' external security posture continuously — you get early warning of deteriorating security before a breach occurs, not after.
Frequently Asked Questions
Is SOC 2 certification meaningless after Fast Track?
Not meaningless — but insufficient as standalone assurance. SOC 2 Type 2 is a point-in-time audit. It confirmed Fast Track's controls at audit time. Continuous external monitoring (Panorays) fills the gap between audits.
What should we tell our players?
If notification is required: be specific about what data was exposed, when the breach occurred, what you've done about it, and what players should do (e.g., be alert to phishing using their details). Avoid vague language — regulators and players both see through it.
Will the MGA take action against affected operators?
The MGA is monitoring the situation. Operators who respond promptly, notify correctly, and demonstrate appropriate vendor due diligence are in a stronger position. Operators who are slow to notify or cannot demonstrate prior vendor oversight face greater regulatory risk.
Continuously monitor your vendors with Panorays
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.