So with my hat tips out of the way, here's the UB press release - I'll take a few hours to process and then give my expert (because everyone's an expert on the internet) analysis.
MONTREAL, CANADA (MAY 29, 2008) — Tokwiro Enterprises ENRG (”Tokwiro”), proprietors of UltimateBet.com (”UltimateBet”), one of the world’s largest online card rooms, today announced the results of its lengthy investigation into allegations of unfair play, which was triggered by concerns about an account named ‘NioNio’. Tokwiro has worked diligently in cooperation with its regulatory body, the Kahnawake Gaming Commission (”KGC”), and with independent third-party experts to conduct a thorough investigation that included a comprehensive review of hand histories and game data, thorough analyses of software and network security, and audits of its security practices and procedures.
The investigation has concluded that certain player accounts did in fact have an unfair advantage, and that these accounts targeted the highest limit games on the site. The individuals responsible were found to have worked for the previous ownership of UltimateBet prior to the sale of the business to Tokwiro in October 2006. Tokwiro is taking full responsibility for this situation and will immediately begin refunding UltimateBet customers for any losses that were incurred as a result of unfair play.
The fraudulent activity was enabled by unauthorized software code that allowed the perpetrators to obtain hole card information during live play. The existence of this vulnerability was unknown to Tokwiro until February 2008 and existed prior to UltimateBet’s acquisition by Tokwiro in October 2006. Our investigation has confirmed that the code was part of a legacy auditing system that was manipulated by the perpetrators. Gaming Associates, independent auditors hired by the KGC, have confirmed that the software code that provided the unfair advantage has been permanently removed.
Throughout the investigation of this incident, Tokwiro’s consistent priorities have been:
- To permanently remove the ability to engage in unfair play;
- To complete its investigation and come to a full understanding of what occurred;
- To refund the affected customers; and
- To implement measures that prevents future incidents.
The Company said, “We would like to thank our customers for their patience, loyalty and support, as well as for their understanding that we are doing everything we can to correct this situation. The staff and management of UltimateBet are fully committed to providing a safe and secure environment for our players, and we want to assure customers of our unwavering resolve to monitor site security with every resource at our disposal.”
These are the key events in the course of the incident.
- January 2008: UltimateBet is alerted to suspicions of unfair play on the part of the account “NioNio”. Within 24 hours, UltimateBet contacts the KGC to provide formal notice that UltimateBet has initiated an investigation of the incident. UltimateBet subsequently forwarded a copy of all related data to the KGC.
- January 2008: The “NioNio” account and related accounts are suspended pending further investigation.
- February 2008: Preliminary findings indicate abnormally high winning statistics for the suspect accounts. After discussions with the KGC, UltimateBet engages third-party gaming experts to assist with the analysis.
- February 2008: Investigators confirm that the suspect accounts are associated with individuals who had worked for UltimateBet under the previous ownership.
- February 2008: UltimateBet discovers the unauthorized code that allowed the perpetrators to obtain hole card information during live play. The code was part of a legacy auditing system that was manipulated by the perpetrators of the fraud.
- February 2008: UltimateBet immediately removes the unauthorized code and works with the KGC and with third-party auditors to verify that the security hole has been eliminated.
- March 2008: Six player accounts are confirmed to have participated in this scheme. No accounts were deleted at any point, although some account names were changed multiple times. The following account names are known to have been used in the fraudulent activity: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, and WhoWhereWhen.
- May 2008: The investigation confirms that the fraudulent activity took place from March 7, 2006 to December 3, 2007.
- May 2008: Gaming Associates certifies that the software code that enabled unfair play was removed from UltimateBet servers in February of 2008.
- May 2008: Customers affected by this incident are identified, and plans for corrective action are reviewed with the KGC.
Corrective Actions Taken
The following actions have been taken or are currently underway as a direct result of this investigation.
- The security hole identified in UltimateBet’s investigation has been permanently eliminated.
- UltimateBet is establishing a state-of-the-art software Security Center that consolidates and greatly enhances existing security capabilities. The first release of the new Security Center focuses solely on the immediate detection of abnormal winnings. Gaming mathematicians, poker professionals, and security software developers have all contributed to the specifications for the new Security Center.
- UltimateBet customers are no longer permitted to change account names unless they have suffered abuse in chat rooms. Requests for changes must be supported by proof of abuse and must be approved by the Chief Compliance Officer.
- In addition to its existing security department, UltimateBet has established a new specialized Poker Security team of professionals dedicated to fraud prevention.
- The refund process will begin immediately. The accounts associated with fraudulent activity did not use an unfair advantage in all play sessions. Regardless, UltimateBet is refunding all losses to these accounts.
- Accounts related to the fraudulent activity have been disabled, and the individuals associated with those accounts permanently banned from the site.
- UltimateBet has worked closely and transparently with its governing body, the KGC and its designated expert auditors, to determine exactly what happened, how it happened, and who was involved, and has taken action to prevent any possibility of this situation recurring.
- Tokwiro is pursuing its legal options in regard to this incident.