Dusk image of surrounding buildings and skyscraper.

Hacked – IAAF victim of cyber-attack compromising athlete data

10 April 2017. Published by Nicola Cain, Partner and Stuart Harris, Associate

The International Association of Athletics Federations (IAAF) has been subject to a data breach – allegedly by Russian hacking group Fancy Bears - potentially compromising the sensitive data of a number of athletes.

Background

The IAAF released a statement last week (3 April 2017) stating that it had been the "victim of a cyber-attack" in February, which had targeted athletes who had made applications for Therapeutic Use Exemptions (TUEs).

Athletes make applications for TUEs when they require an exemption for the therapeutic use of a substance (or method) that is otherwise prohibited by WADA. It is believed that the IAAF has since made contact with more than 80 athletes who made applications for TUEs since 2012. The IAAF has also set up a dedicated IAAF email address and online query portal (askiaaf.org), for athletes with any queries or concerns about their TUEs applications.

The attack was detected during an investigation by cyber security firm Context Information Security (CIS), who were engaged by the IAAF at the beginning of the year to conduct a technical investigation of IAAF systems. CIS discovered that unauthorised remote access to the IAAF network had been made, with metadata on athlete TUEs "collected from an IAAF file server and stored in a newly created file".

Whilst the extent of the breach is not yet known, the IAAF has claimed that the hacking group Fancy Bears (also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) was behind the attack.

Comment

The attack highlights the importance of having adequate security measures in place to deal with cyber-attacks, particularly for sporting organisations that hold highly sensitive / confidential information.  An example of some of the measures you should consider taking include:

  • Processes should be put in place to deal with data loss and security breaches (e.g. having a robust, tested data breach response / management procedure in place to quickly ID intrusions and find a resolution). This should set out reporting lines, responses, escalations, and be integrated with a comprehensive business continuity policy – make sure people in the business know how to respond and who to tell;

  • Invasive investigations into data security (for example trial data breaches and "friendly hacks" to identify weaknesses) should be conducted on a regular basis;

  • Access controls should be implemented to prevent unauthorised access / use. This includes:

    • Physical controls (e.g. alarms, locked cabinets, swipe cards, waste disposal); and

    • Logical controls (e.g. user identification and authorisation, passwords, biometrics) access restrictions;

  • Anti-virus software / firewalls should be installed on any systems and devices used to store and transmit data – and remember to update and maintain them;

  • Data should not be stored or accessed locally on devices which are not accessed through a secure network (e.g. desktop files);

  • Any portable and mobile devices used to store and transmit personal data should be protected using approved encryption software;

  • The following logs should be kept for audit purposes:

    • logs of data transfers and when data is accessed; and

    • logs of laptops and other portable and mobile devices (e.g. ensuring devices are returned by former personnel).

  • All personnel should receive training on personal data and the importance of data security, including how to recognise attempts to gain unauthorised access to data by "spoofing", "phishing" or "blagging", the potential consequences of failure to comply with internal and external rules on data security, and what to do in the event of a data breach;

  • Processes shall be put in place to ensure the secure destruction of data when required (e.g. confidential disposal / destruction for hardware, hard copies and electronic data, anonymising data);

  • Senior management may consider obtaining cyber insurance, to provide cover for the potential cost of data breaches (for example public relations, forensic investigation, legal advice, notification, web and credit monitoring).

RPC's Sportsand Media teams regularly advise clients on data and privacy issues.

RPC also has deep-rooted data compliance expertise, including RPC's integrated data breach response service, ReSecure.  With one call, ReSecure provides you with access to a combined team offering data breach management, technical forensic investigation, legal advice, notification, web and credit monitoring and public relations services.