Expert Comments

Experts On News that Data of more than 500,000 referees stolen in ransomware attack

Expert(s): Security Experts
Expert(s): Security Experts

It has been reported that ArbiterSports, the official software provider for the NCAA (National Collegiate Athletic Association), and many other US leagues have announced it fended off a ransomware attack. In a data breach notification letter filed with multiple states across the US, the company said that despite detecting and blocking the hackers from encrypting its files, the intruders managed to steal a copy of its backups.  This backup contained data from ArbiterGame, ArbiterOne, and ArbiterWorks — three of the web applications used by schools and sports leagues to assign and manage the schedules and training programs of referees and game officials. ArbiterSports said it paid the hackers to delete the stolen data — a database backup.

Experts Comments

Dot Your Expert Comments
Warren Poschman
September 23, 2020
Senior Solutions Architect
comforte AG

The best strategy is to avoid sole reliance on key-based data protection.
One of the biggest problems when encrypting data is secure key management - when hackers gain access to encryption keys they start looking for data to decrypt because they know it has some value. The age-old adage rings true with the breach at ArbiterSports – encryption is easy, key management is hard. Keeping encryption keys accessible but secure is challenging when encrypting sensitive data in backup files, databases, cloud repositories, and other areas. The best strategy is to avoid.....Read More
One of the biggest problems when encrypting data is secure key management - when hackers gain access to encryption keys they start looking for data to decrypt because they know it has some value. The age-old adage rings true with the breach at ArbiterSports – encryption is easy, key management is hard. Keeping encryption keys accessible but secure is challenging when encrypting sensitive data in backup files, databases, cloud repositories, and other areas. The best strategy is to avoid sole reliance on key-based data protection - deploying tokenization drastically reduces the chances of sensitive data being revealed because the data is replaced with meaningless, de-identified data and there is no key for an attacker to obtain. Tokenization is a highly secure, format-preserving data protection approach that does not require the generation, distribution, management, or rotation of encryption keys file to protect data. In other high-profile data breaches, attackers were able to also decrypt data but were unable to access data that was tokenized. In the case with ArbiterSports, if tokenization had been utilised and the attackers were able to access and decrypt the stolen backup, the tokenized data would have remained secure.  Read Less
Sam Curry
September 23, 2020
Chief Security Officer
Cybereason

Take advantage of Arbiters offer of one year of free identity and credit protection services.
The reported ArbiterSports hack is another reminder of how successful ransomware attacks have become. What is startling is that in this case more than 500,000 referees and game officials are impacted. My recommendation for ArbiterSports is not to play the victim card, because they will only be seen as villains by its members. It is extremely important to be transparent to members and to continue to work to improve their security hygiene. It is time for Arbiter to put their money where their.....Read More
The reported ArbiterSports hack is another reminder of how successful ransomware attacks have become. What is startling is that in this case more than 500,000 referees and game officials are impacted. My recommendation for ArbiterSports is not to play the victim card, because they will only be seen as villains by its members. It is extremely important to be transparent to members and to continue to work to improve their security hygiene. It is time for Arbiter to put their money where their mouth is to lower the likelihood of additional breaches. For the referees and game officials that have had their personal information stolen, inevitably every human on the face of the earth will have their personal information stolen 5-10 times over the course of their life. We have just become desensitised to the impact of breaches. I urge everyone affected by the breach to take advantage of Arbiters offer of one year of free identity and credit protection services.  Read Less
Boris Cipot
September 23, 2020
Senior Sales Engineer
Synopsys

Information like addresses and Social Security Numbers are often used to commit acts of fraud.
As we can see in this instance, ransomware attacks are no longer simply about entering a system and encrypting its data. Attackers have expanded their portfolio of extortion methods to include a wide range of assets. Even if the target could prevent encryption, the attacker has successfully stolen backups and can extort the target anyway. In such cases, data resilience is demanded. However, based on these reports, the attacker is able to decrypt the stolen data, exposing usernames, passwords,.....Read More
As we can see in this instance, ransomware attacks are no longer simply about entering a system and encrypting its data. Attackers have expanded their portfolio of extortion methods to include a wide range of assets. Even if the target could prevent encryption, the attacker has successfully stolen backups and can extort the target anyway. In such cases, data resilience is demanded. However, based on these reports, the attacker is able to decrypt the stolen data, exposing usernames, passwords, addresses, and Social Security Numbers. There is no doubt that this is why ArbiterSports paid the attacker to delete the backups. In any case, affected users should immediately change their passwords, especially if they have been reused for other services. Also, watch out for any signs of Identity Theft, such as unusual bank statements, activity to open a new bank account, loans, or receiving bills for unknown services. Information like addresses and Social Security Numbers are often used to commit acts of fraud and are, therefore, valuable private information.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Fake App Attacks On The Rise, As Malware Hides In...

Expert On Study That Brits Using Pets’ Names As Online...

Expert Reaction On Europol Publishes Its Serious And Organised Crime...

Fake Netflix App Allows Hackers to Hijack WhatsApp

Hackers Pretend To Be Your Friend In The Latest WhatsApp...

Millions Of Brits Still Using Pet’s Names As Passwords Despite...

Advertised Sites May Appear Genuine On First Glance

Facebook Ran Ads For Malware-ridden ‘Clubhouse for PC’

Linkedin Data Of 500 Million Users Being Sold Online

Experts Comments On Identity Management Day – Tuesday 13th April