A company that provides software for sports leagues to manage referees and game officials has disclosed a security incident that impacted around 540,000 of its registered members — consisting of referees, league officials, and school representatives.
ArbiterSports, the official software provider for the NCAA (National Collegiate Athletic Association) and many other leagues, said it fended off a ransomware attack in July this year.
In a data breach notification letter filed with multiple states across the US [1, 2], the company said that despite detecting and blocking the hackers from encrypting its files, the intruders managed to steal a copy of its backups.
This backup contained data from ArbiterGame, ArbiterOne, and ArbiterWorks — three of the web applications used by schools and sports leagues to assign and manage the schedules and training programs of referees and game officials.
ArbiterSports said the backups contained sensitive information about users who registered on these web apps, such as account usernames, passwords, real names, addresses, dates of birth, email addresses, and Social Security numbers.
“The passwords and Social Security numbers were encrypted in the file, but the unauthorized party was able to decrypt the data,” the company said.
ArbiterSports said that after blocking the attempt to encrypt its local data, the hackers reached out and demanded payment in exchange for deleting the files that they obtained.
The company said it paid the ransom demand and “obtained confirmation that the unauthorized party deleted the files.”
However, there is no guarantee that the hackers haven’t made a copy of the data before deleting ArbiterSport’s data. Sources in the incident response (IR) community have told ZDNet about cases where ransomware gangs did not delete the data.
An ArbiterSports spokesperson was not immediately available for additional comments, despite repeated attempts.
The ArbiterSports incident is reminiscent of a similar incident disclosed by Blackbaud, a provider of cloud-based software to universities and non-profits. Blackbaud also avoided having its files encrypted, but eventually had to pay hackers to delete files they stole before being detected.
The Blackbaud incident triggered a wave of second-hand breach notifications from universities, schools, and colleges all over the world, all who had to inform their own customers of the incident.