NBA Teams Defend Against Phishing & Skimming Attacks

Two NBA teams recently defended themselves against cybercriminal passes. The Indiana Pacers, disclosed last week, it experienced a phishing attack, a few weeks after malware skimmed Atlanta Hawks’ online payment information.

The Pacers Sports & Entertainment, the corporate entity behind the NBA Pacers and the WNBA Indiana Fever, announced a security breach in a press release posted on its website May 10 that hackers obtained access to sensitive user information. The company blamed the breach on a phishing campaign which allowed access to several PSE employee accounts. It said hackers had access to these accounts between October 15, 2018, and December 4, 2018. The company said it learned of the breach, on November 16. “After a thorough review of these email accounts, PSE determined that a limited number of personal records were present in the affected emails,” the company said.

PSE did not reveal if the information belonged to PSE employees or customers. Exposed information might include name, address, date of birth, passport number, medical and/or health insurance information, driver’s license/state identification number, account number, credit/debit card number, digital signature, username and password, and in some cases even Social Security numbers.

A few weeks ago, card thieves, also known as Magecart, injected a payment skimmer in the Atlanta Hawks’ online store. Fans who ordered merchandize on or after April 20 had their name, address and credit card stolen. Magecart gangs, which encompasses at least seven different cybercriminal groups, often use a script, which basically work like a card skimmer mounted on a physical card terminal. With the malicious script, hackers can lift electronic payment information in real time during checkout.

It is not clear if there is a new trend to hack sports teams but as with all data breaches and/or events involving personal information the risk could extend to credit unions and other financial institutions

Some cybersecurity experts offered their opinions:

Jonathan Deveaux, head of enterprise data protection at the German-based comforte AG, commented: “When comparing these cyberattacks, in the case of the Indiana Pacers, an insider let someone from the outside gain access through a phishing scam. In contrast with the Atlanta Hawks, an outsider gained access to the inside through a website vulnerability.”

Deveaux noted companies focus on trying to keep outsiders out, but they still find a way to get in. “Shifting priorities in data security to focus on protecting the data on the inside may help minimize the data criminals steal. Organizations should look at data-centric security, which turns real credit card numbers to fakes, turns names to gibberish, and other sensitive data is de-identified. Then, it does not matter how an attacker gets in, or who the company is; the data isn’t exploitable.”

Colin Bastable, CEO of Austin, Texas-based Lucy Security, suggested, “The Indiana attack took place last year – so perhaps the trend is for organizations to be late in reporting breaches. Reporting breaches is a difficult process in the U.S., as so many states have their own regulations to be complied with. Remediation is so much more expensive than prevention.”

Bastable added, it looks like the attack lasted 6 weeks, which he mentioned is a lot of time to have hackers active in an email system. He explained, perhaps it took this long to assess the full extent of the intrusion, or perhaps they still do not know how extensive it was. “The costs of data breaches escalate significantly in line with delayed detection and remediation.”

Bastable said, “The Atlanta Hawks website hack demonstrated the danger of ‘convenience’: the vulnerability appears to have come from integrating a third-party solution, perhaps an accounting app or a reporting tool. Adding more moving parts to IT infrastructure in this way has a multiplier effect on cyber-insecurity.”

Dan Tuchler, chief marketing officer of Santa Margarita, Calif.-based SecurityFirst, said, “We have now seen at least two hacking attacks targeting sports teams. With the massive amount of money involved in professional sports, this is not surprising. Should regulators take a closer look at sports teams and their websites? They are already adequately covered by broad e-commerce privacy regulations, but maybe they need more focused attention to compel them to make sure they keep private data secured.”