Fast Track CRM Breach Analysis: How One Vendor Exposed 100+ iGaming Operators
In October 2025, Fast Track — a Malta-based CRM provider serving over 100 MGA-licensed iGaming operators — suffered a "highly sophisticated cyberattack." Player passports, transaction histories, betting patterns, KYC documents, and partial card data were exposed across hundreds of thousands of player records. Fast Track held SOC 2 Type 2 certification at the time. This is the most consequential iGaming cybersecurity incident of 2025.
100+ MGA operators. Hundreds of thousands of player records. One vendor breach.
What Data Was Exposed
The Fast Track breach exposed:
- Full player names and email addresses
- Physical addresses and phone numbers
- Complete transaction histories
- Detailed betting patterns and game preferences
- Customer support chat logs
- KYC documents: passports and driving licences
- Partial payment card data
Why This Attack Was So Effective
Fast Track had privileged, deep access to operator player databases — exactly the access a CRM needs to function. When attackers compromised Fast Track, they inherited all that access simultaneously across every operator client. The SOC 2 Type 2 certificate Fast Track held is a point-in-time audit — it confirmed controls were in place at the time of the audit. It said nothing about the novel attack technique used against them.
The Regulatory Cascade
Every affected operator faced simultaneous obligations: GDPR breach notification to the IDPC within 72 hours; potential direct player notification; MGA investigation; DPA liability review with Fast Track; reputational management. All triggered by a breach in a vendor's system that the operators had no visibility into and no ability to prevent.
What Would Have Changed the Outcome
Panorays monitoring Fast Track's external security posture could have detected precursor indicators before the breach occurred — unusual changes to their systems, new vulnerabilities in their stack, anomalous behaviour. More importantly: operators with Panorays would have had real-time visibility into Fast Track's security posture rather than waiting for a press release.
Frequently Asked Questions
Which operators were affected by the Fast Track breach?
Fast Track has not released a full list of affected operators. The crypto casino Shuffle.com was among publicly confirmed victims. Any operator using Fast Track's CRM platform during the affected period should assume their player data may have been exposed.
What should affected operators do about GDPR notification?
Immediately assess what player data Fast Track held, determine whether the breach likely results in high risk to player rights (almost certainly yes given the data types), notify the IDPC within 72 hours, and consider direct player notification. Seek legal advice urgently.
Is SOC 2 certification meaningless after this breach?
Not meaningless — but insufficient on its own. SOC 2 Type 2 confirms controls existed at audit time. Continuous external monitoring (Panorays) and contractual security obligations are required to maintain confidence between audits.
Continuously monitor your vendors so the next breach doesn't blindside you
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.