B.C. Lottery Corp. did not take adequate steps to protect gamblers' privacy when it launched its PlayNow.com online gambling site last summer, according to an investigation by B.C. Information and Privacy Commissioner Elizabeth Denham.

However, Denham concludes, BCLC has since taken steps to address the problem and the site now adequately protects users' privacy.

The PlayNow site, the first in Canada to allow casino gambling online, went live on July 15, but was shut down within hours after suffering a security glitch.

BCLC later acknowledged PlayNow experienced 134 "data crossovers," some of which allowed customers to see the personal details of other players, such as bank and creditcard information.

Denham launched an investigation into the matter, the results of which were released Tuesday. In a news release, Denham said she has concluded BCLC properly identified the cause of the breach and took steps to prevent it from happening again.

"However, a second, broader investigation identified a number of security gaps when the PlayNow.com online casino platform was launched, the cumulative effect of which resulted in inadequate protection of customers' personal information," the release stated. "The investigation identified inadequate user access controls and maliciouscode controls, unencrypted data transmission and gaps in BCLC's privacy management framework."

These security weaknesses were of particular concern, said Denham, given the types of people often attracted to online gambling.

"The inherent nature and high profile of online gaming websites expose customer personal information to increased risk," she wrote. "Gambling attracts the attention of organized crime and these individuals or groups have the means and the inclination to test the security of online gaming platforms."

Denham noted in her report that while the security gaps she identified were a concern, they were not directly responsible for the data crossover that occurred last July.

Her report made a number of recommendations to BCLC on how to address privacy concerns in the future, including creating a schedule for when customers' personal information should be destroyed.

BCLC president Michael Graydon said four of five of the recommendations will be implemented by March 1.

He said the fifth recommendation, which relates to retention schedules of data, requires government approval and will take longer to implement.

Graydon said the BCLC did "have fairly significant multiple layers of security" when it launched, but it welcomes Denham's suggestions for enhancements so that the company can ensure its customers privacy in future.

cskelton@vancouversun.com