It has been reported that ArbiterSports, the official software provider for the NCAA (National Collegiate Athletic Association), and many other US leagues have announced it fended off a ransomware attack. In a data breach notification letter filed with multiple states across the US, the company said that despite detecting and blocking the hackers from encrypting its files, the intruders managed to steal a copy of its backups. This backup contained data from ArbiterGame, ArbiterOne, and ArbiterWorks — three of the web applications used by schools and sports leagues to assign and manage the schedules and training programs of referees and game officials. ArbiterSports said it paid the hackers to delete the stolen data — a database backup.
One of the biggest problems when encrypting data is secure key management – when hackers gain access to encryption keys they start looking for data to decrypt because they know it has some value. The age-old adage rings true with the breach at ArbiterSports – encryption is easy, key management is hard. Keeping encryption keys accessible but secure is challenging when encrypting sensitive data in backup files, databases, cloud repositories, and other areas.
The best strategy is to avoid sole reliance on key-based data protection – deploying tokenization drastically reduces the chances of sensitive data being revealed because the data is replaced with meaningless, de-identified data and there is no key for an attacker to obtain. Tokenization is a highly secure, format-preserving data protection approach that does not require the generation, distribution, management, or rotation of encryption keys file to protect data. In other high-profile data breaches, attackers were able to also decrypt data but were unable to access data that was tokenized. In the case with ArbiterSports, if tokenization had been utilised and the attackers were able to access and decrypt the stolen backup, the tokenized data would have remained secure.
The reported ArbiterSports hack is another reminder of how successful ransomware attacks have become. What is startling is that in this case more than 500,000 referees and game officials are impacted. My recommendation for ArbiterSports is not to play the victim card, because they will only be seen as villains by its members. It is extremely important to be transparent to members and to continue to work to improve their security hygiene. It is time for Arbiter to put their money where their mouth is to lower the likelihood of additional breaches. For the referees and game officials that have had their personal information stolen, inevitably every human on the face of the earth will have their personal information stolen 5-10 times over the course of their life. We have just become desensitised to the impact of breaches. I urge everyone affected by the breach to take advantage of Arbiters offer of one year of free identity and credit protection services.
As we can see in this instance, ransomware attacks are no longer simply about entering a system and encrypting its data. Attackers have expanded their portfolio of extortion methods to include a wide range of assets. Even if the target could prevent encryption, the attacker has successfully stolen backups and can extort the target anyway. In such cases, data resilience is demanded. However, based on these reports, the attacker is able to decrypt the stolen data, exposing usernames, passwords, addresses, and Social Security Numbers. There is no doubt that this is why ArbiterSports paid the attacker to delete the backups. In any case, affected users should immediately change their passwords, especially if they have been reused for other services. Also, watch out for any signs of Identity Theft, such as unusual bank statements, activity to open a new bank account, loans, or receiving bills for unknown services. Information like addresses and Social Security Numbers are often used to commit acts of fraud and are, therefore, valuable private information.