The Fast Track CRM Breach: What Malta's iGaming Operators Must Do Right Now
In October 2025, hackers breached Fast Track — a Malta-based CRM provider serving over 100 MGA-licensed operators. Player passports. Transaction histories. Betting patterns. KYC documents. Partial card data. All exposed. Fast Track held SOC 2 Type 2 certification. This is the defining iGaming cybersecurity incident of 2025, and every Malta operator should be asking: if this happened to Fast Track, who's next?
100+ MGA-licensed operators had player data exposed in a single vendor breach.
What We Know About the Fast Track Breach
Fast Track described the incident as a "highly sophisticated cyberattack." The data exposed included: full player names, email addresses, physical addresses, phone numbers, complete transaction histories, betting patterns and game preferences, customer support chat logs, KYC documents (passports, driving licences), and partial payment card data. The crypto casino Shuffle.com was among the confirmed affected operators. Critically, Fast Track had recently renewed its SOC 2 Type 2 certification — demonstrating that certification does not equal security.
Immediate Actions If You Were Affected
- Isolate the Fast Track integration from live player data immediately
- Conduct a data mapping exercise: exactly what data did Fast Track hold for your players?
- Assess your GDPR obligations: notify the IDPC within 72 hours if player data was exposed
- Assess whether to notify affected players directly (required if high risk to their rights)
- Engage your incident response process
- Preserve all logs related to Fast Track data access
- Review your DPA (Data Processing Agreement) with Fast Track for liability provisions
- Notify your MGA compliance officer
- Begin vendor risk reassessment for all other third-party CRM/platform providers
What This Means for All Malta Operators — Affected or Not
Even if you don't use Fast Track, this breach should trigger an immediate review of every third-party vendor who holds player data. Who else has access to your players' KYC documents? Who can read your transaction histories? What would happen if your PAM provider was hit the same way? The attack model is proven — and it will be replicated.
How Panorays Would Have Changed the Outcome
Panorays continuously monitors the external security posture of all your vendors. When Fast Track's attack surface showed the precursor indicators of a breach — unusual changes, new vulnerabilities, anomalous behaviour — Panorays would have alerted affected operators before the breach was disclosed. You wouldn't have to wait for a press release to know your players' data was at risk.
Frequently Asked Questions
Are we required to notify the IDPC about the Fast Track breach?
If Fast Track held personal data of your players and that data was exposed, you likely have a GDPR notification obligation to the IDPC within 72 hours of becoming aware. Seek legal advice immediately — the 72-hour clock runs from your awareness, not Fast Track's announcement.
Can we claim compensation from Fast Track for the breach?
Your Data Processing Agreement with Fast Track will determine liability allocation. Under GDPR, you may be jointly liable with Fast Track for player harm — and players can seek compensation from you directly. The DPA provisions are critical.
Should we stop using Fast Track immediately?
This depends on what data Fast Track currently holds and whether the breach vector has been closed. Work with your legal and technical teams to assess the risk of continued data processing versus the operational impact of switching providers.
Assess your vendor risk before the next breach
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.