The National Basketball Association is the latest company or organization to suffer a data breach, with fan data stolen following the hack of a third-party newsletter service provider.
The association started informing affected fans last week, only describing the data theft as an “incident” they are sorry for. The data stolen from the unnamed third-party provider included names and email addresses but did not include usernames, passwords, or other personal information.
The NBA said that it had activated its incident response procedures upon learning of the unauthorized access. Be it that the NBA itself wasn’t hacked, the association has hired outside cybersecurity experts and is working with the service provider to ensure that a breach does not occur again.
The NBA warned that the stolen data might result in a heightened risk of phishing emails from email accounts appearing to be affiliated with the NBA. The association also warned that the data could be used for social engineering attacks and that affected fans should be vigilant when opening suspicious emails or any other communications that may appear to come from the NBA or its partners.
The association added that they never ask for personal account information, such as usernames, by email and would never ask for password information under any circumstances.
The missing parts from this story include who the third-party provider was and how the data was stolen. The NBA says in its email to those affected that it is “committed to transparency,” but, at the same time, it isn’t being transparent about what actually happened.
One possible third-party candidate is the Intuit Inc.-owned Mailchimp, which hit a hattrick of data breaches in January, although there is no clear link between Mailchimp and the NBA. Mailchimp does, however, have partnerships with other major sporting leagues, such as the National Football League.
“This is an unfortunate instance of a vendor not securing information provided by an organization,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Unfortunately, this is all too common. However, in this case, limited information was made public.”
“Even though the information did not contain much sensitive information, by using a name and email address, along with the knowledge that this individual has an interest in the NBA, social engineers could put together a much more appealing phishing attack than if they had none of this information,” Kron added. “People whose information was leaked by this vendor should keep a wary eye open for targeted email phishing attacks related to NBA topics.”
Photo: Ramstein Air Base/Flickr