Nobody likes their health information being made public. But for Olympic athletes, this has become an occupational hazard as allegations of cheating and the use of performance-enhancing drugs are exchanged between those found to be guilty and those who are clean.

This week, a group of hackers stole the information of a number of Olympic athletes from a World Anti-Doping Agency (WADA) database which revealed that 20 sports people from 14 countries had used drugs - ostensibly to help with recovery after injury or surgery.

Two New Zealand athletes who competed at the Rio Olympics - the rower, Mahe Drysdale, and the sailor, Peter Burling - are among those named in the dump of hacked information. As it happens, the information related to athletes who had been given legitimate exemptions to take certain drugs under WADA’s therapeutic use exemptions. The athletes named will not face any penalties because, under the system, they did nothing wrong and the drugs used were not in the performance enhancing category.

Spear phishing

It seems the hacker group, Fancy Bears, accessed an International Olympic Committee employee’s account using a technique called spear phishing which allowed them to log into the WADA’s Anti-Doping Administration and Management System (ADAMS) database. The group has since been disclosing the details of small groups of athletes since 13 September.

There has been speculation the group which claimed responsibility for the hack might be motivated by the ban which hit many Russian athletes - particularly track and field athletes - and prevented them from competing at Rio. Fancy Bears says it is acting to clean-up sport but many suspect it is retaliating for the ban on Russian competitors, which happened after an international investigation showed evidence of state-sanctioned sports doping in Russia.

Response team

WADA says it is taking this situation concerning athlete privacy very seriously and has put together a response team. It is also working with law enforcement agencies in Canada (where it is based) and elsewhere. WADA is also investigating how to prevent any further intrusions and consulting with cyber security experts to ensure that no more information is leaked.

WADA also confirmed Fancy Bears had obtained access to the Rio 2016 Olympic Games account by the spear phishing method. WADA says it is in contact with national anti-doping organisations and sporting federations whose athletes were hit by the hack, so the individuals could get the necessary support.

Data breach playbook

In taking these steps, WADA appear to be working from a standard data breach playbook. Our own Data Safety Toolkit outlines four similar key steps:

• Contain the breach
• Evaluate the risks
• Notify affected people if necessary
• Prevent a repeat

New Zealand organisations that hold personal information should look to our guidance on how to handle a breach so they know how to respond promptly. The Fancy Bears hack is a salutary example of what can be at stake and how an agency should respond.

Be vigilant

One of key lessons in this case is that it underlines just how convincing some spear phishing emails can appear. The potential repercussions, as illustrated in WADA’s case, can be very serious, depending on the nature of the information that is stolen and disclosed. A preventative measure would be to make sure that your colleagues are vigilant and aware of the dangers of emails that might not be bona fide. Check out this case study of a spear phishing breach.

In the meantime, reporting data breaches in New Zealand to the Privacy Commissioner is voluntary, but proposed changes to the Privacy Act are expected to be introduced to Parliament next year. If a breach meets a certain threshold of seriousness, the changes will make reporting that breach to our office mandatory.

Image credit: Fancy Bears

IPP11 - disclosure, security, cybersecurity, breach, data