Become a TechRadar Insider
No business wants to take a gamble when it comes to cybersecurity. Ironically, that’s especially true in the gaming and gambling industry.
It’s a sector that’s booming. By 2030, the global online gambling market is expected to nearly double to approximately $154 billion, growing at almost 12% year on year. For operators, it’s good news. However, that growth is also attracting cybercriminal attention.
Chief Product Officer, ISMS.online.
Between 2022 and 2024, iGaming fraud surged 64% year-over-year on average. And more recently, several major incidents have made headlines.
In July 2025, Flutter Entertainment (the parent company of Paddy Power, Betfair, Sky Betting & Gaming, PokerStars and other brands), confirmed that it had suffered a data breach affecting 800,000 customers.
More recently, in February 2026, casino operator Wynn Resorts confirmed that it had suffered a cyberattack from hacking group ShinyHunters, which claimed to have stolen over 800,000 records including employee data and personally identifiable information.
Mounting data, operational, reputational and supply chain threats
Gaming and gambling firms have become increasingly attractive targets for threat actors for several reasons. These are companies that have extensive digital footprints and hold vast amounts of financial and personal information.
For sector players, the use of data is crucial: to better understand player behaviors, drive strategic investments and content strategies, and enable the redesigning and personalization of games to make them more engaging.
However, for cybercriminals who seek financial gain or simply wish to execute malicious attacks on companies and their players, that creates fertile ground on which they can wreak havoc.
With so much transactional data, personal information and payment information at play, any single breach can be devastating. Threat actors also know that gaming and gambling companies typically operate around the clock, making downtime disproportionately costly.
For industry players, uptime is the foundation of revenue generation. Many platforms serve players on a 24/7 basis, and even minor user experience issues or disruptions from hacks can quickly have users turning to competitors.
These pressures are amplified by the real-time nature of gaming industry transactions. Bets must be accepted and settled instantly. If they’re not, players will almost always look elsewhere in an industry where customer loyalty can be thin and alternatives are plentiful.
For threat actors, the opportunity to inflict maximum pain on their targets is, therefore, clear. Any downtime or disruption quickly results in lost revenue and undermines customer trust, making it easier to back companies into a corner when it comes to data breaches or ransomware.
At the same time, there is also the growing challenge of increasingly interconnected supply chains. Behind the polished UX of gaming platforms is a complex web of third-party vendors, data providers, software solutions, payment processors, identity verification services, cloud platforms, odds generators and more that collectively contribute to an ever-widening attack surface.
For cybercriminals, going after suppliers that have privileged access to core systems can be an easy way in, with compromises of minor vendors capable of resulting in huge ripple effects.
For many attack groups, it’s become a preferred method. So much so that the global annual cost of software supply chain attacks to businesses is expected to reach a staggering $138 billion by 2031, up from $60 billion in 2025. Indeed, one small weak link in the chain can present massive cyber risks for gambling and gaming companies.
ISO 27001 and ISO 27701 should be the foundations for improved resilience
With the stakes so high in the gaming and gambling sector, cyber resilience has become essential.
For many, it’s a priority concern. In a survey conducted by EY, 47% of gaming executives stated that mitigating cyber risks is a key challenge. The question for operators is what practical steps can be taken.
For many, ISO 27001 will serve as a natural starting point, being a globally recognized framework and blueprint for developing an effective information security management system. Critically, it provides organizations with a structured way to identify risks, implement controls and embed clear processes and policies in relation to data protection.
For gambling companies, ISO 27001 is particularly relevant. The Gambling Commission’s remote gambling and software technical standards (RTS) specifically require operators to complete a third-party annual security audit that is mapped to specific sections of ISO 27001.
In this sense, while full certification isn’t mandatory, aligning with it can help operators easily demonstrate best practice in relation to secure authentication, data encryption, identity verification, monitoring, data retention and supplier oversight.
Other legislation also applies. For example, any online gambling organization taking credit card payments must also adhere to PCI-DSS – however, it’s worth noting that many of the security requirements overlap and intersect with the controls identified under the Gambling Commission’s technical requirements.
For gambling firms that operate across multiple jurisdictions, there can be a host of different licensing rules, data processing conditions and data transfer restrictions to manage.
For firms to which this applies, ISO 27701 also acts as a useful extension to ISO 27001, providing them with a privacy management framework which aligns with GDPR and other international privacy expectations.
As regulatory expectations evolve, supportive partners can help ease growing burdens
While sound starting points, these standards represent only part of the regulatory landscape. Given the gaming and gambling industry’s various challenges, controls and restrictions, firms are having to comply with an increasingly wide range of regulatory obligations that extend beyond information and privacy.
The responsible gambling regulations stand as a prime example, requiring firms to demonstrate robust processes around player protection, affordability assessments, behavioral monitoring and self‑exclusion.
Further, more bespoke oversight is also often demanded of operators in areas such as game fairness, random number generator testing, anti‑money laundering controls, geolocation restrictions, new market licensing conditions and even internal governance or board‑level reporting structures.
It’s of little surprise that companies frequently cite evolving regulation and region-specific licensing requirements as common pain points, alongside increasing enforcement on responsible gambling, rising expectations for encryption and secure logins, pressure to evidence processes to regulators, growing data privacy risk, high cost of failed audits or license delays, disjointed internal tools and manual processes.
In reality, the burdens are extensive. And for many firms, the most logical way to ease these is to work with a dedicated security, privacy and compliance partner that can provide support and solutions covering the full spectrum of regulatory requirements and industry best practices.
In an industry where the regulatory picture never stands still, that kind of comprehensive support can be the difference between keeping pace with compliance and customer expectations - and falling behind.
We've featured the best business VPN.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit