tiero - Fotolia
The World Anti-Doping Agency (WADA) has confirmed a spear phishing attack allowed Russian hackers to access and leak medical data belonging to a slew of high-profile Olympic athletes.
A group of Russian cyber hackers, dubbed Fancy Bear, have claimed responsibility for breaching the WADA’s database, which is used to keep tabs on the prescription medications athletes consume and check they are permitted under anti-doping laws.
According to the WADA, the group gained access to the database by targeting an account created for the International Olympic Committee (IOC) in the lead up to this summer’s Rio 2016 Games.
“While it is an evolving situation, we believe that access to the Anti-Doping Administration and Management Systems (ADAMS) was obtained through spear phishing of email accounts, whereby ADAMS passwords were obtained enabling access to account information confined to the Rio 2016 Games,” the WADA said.
“We have no reason to believe that other ADAMS data has been compromised.”
Confidential medical records belonging to tennis players Serena and Venus Williams, along with those of gymnast Simone Biles, are among details leaked so far, but the group is understood to have threatened to release more.
The leaked data includes details of any “Therapeutic Use Exemptions” the athletes had in place for the Rio Olympics, which permitted them to use certain banned substances for medical reasons.
The WADA has launched an internal investigation into its security practices in the wake of the breach, and is working closely with law enforcers to catch the culprits, the organisation added.
Olivier Niggli, director general of the WADA, said the organisation believes the attack was an attempt by the hackers to undermine the worldwide anti-doping system after the agency’s recommendations that Russian athletes should be banned from competing in Rio.
“WADA deeply regrets this situation and is conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act,” said Niggli.
“WADA has been informed by law enforcement authorities that these attacks are originating out of Russia, [and] let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia.”
John Madelin, CEO of internet security provider RelianceACSN, said the WADA attack could have been avoided.
“Sensitive information like that held by the WADA is part of the organisation’s critical data, and therefore needs to be completely secure,” he said.
“Key lessons to be taken away from this breach are that organisations need to educate employees and users on best practices to help prevent attacks like this, and make the cost of breaching an organisation’s defences more than the data is worth to would-be hackers.”