The company said no financial information was stolen but the names, usernames, addresses, email contacts, phone numbers, and dates of birth of online betting account holders was compromised in the 2010 hacking.
The bookie, famed for its publicity stunts and its irreverent marketing campaigns, said the security lapse was an isolated incident.
Some 461,154 customers were registered in Britain, 120,849 in Ireland, and 67,052 internationally.
Paddy Power’s managing director of online business, Peter O’Donovan, insisted no passwords or financial details were taken in the breach, and there is no evidence that customer accounts have been hit by fraud.
“We sincerely regret that this breach occurred and we apologise to people who have been inconvenienced as a result,” said Mr O’Donovan.
“We take our responsibilities regarding customer data extremely seriously and have conducted an extensive investigation into the breach and the recovered data. That investigation shows that there is no evidence that any customer accounts have been adversely impacted by this breach.”
All affected customers are being contacted by the bookie.
Some 87,904 of them are classed as active, having placed a bet online this year.
Other information, like the maiden names of customers’ mothers may also have been taken, Paddy Power said as it advised customers to check their other online accounts that share similar information.
The hack was discovered in May when the bookmaker was told a person in Canada was allegedly in possession of an old dataset of Paddy Power customers. The company reported it to An Garda Síochána.
Mr O’Donovan said: “Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.
“This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security, and infrastructure.”
The company said an investigation has shown precisely that the hacking only hit customers who held an account in 2010.
Paddy Power said it takes its responsibilities regarding customer data extremely seriously and it is deeply regrettable that the breach happened.
Ireland’s Data Protection Commissioner has been notified.
Paddy Power took legal action in Canada with the assistance of Ontario Provincial Police to retrieve the compromised dataset from an individual.
The company got two court orders to seize IT assets, to recover the dataset, and delete it from the IT systems of one person in the country in the second week in July.
Experts were also called in to examine the person’s bank accounts and financial transactions and to question him.
Paddy Power said it has invested more than €3.8m in its IT security systems in recent years.