The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

IT Could Happen to You: Security Breach Bites NBA Team

There are no exceptions when it comes to ensuring IT security in the workplace. Hackers can find your data in ways both creative and, price as the Milwaukee Bucks recently learned, supremely mundane.

Fear the deerEditor's Note: This article is the first in a two-part series about e-mail security.

 

The FBI, IRS and NBA, a trio of three-letter organizations that don’t often come together, crossed paths last month when the Milwaukee Bucks fell victim to an e-mail spoofing attack that compromised the personal financial information of team members. Star players like Khris Middleton and Giannis Antetokounmpo are more accustomed to worrying about their rebound, assist and steal numbers than their Social Security numbers — but this incident might have temporarily diverted that focus.

 

This attack made print and online headlines due to the high-profile nature of the victims, but e-mail spoofing attacks take place every day, targeting many different types of organizations. The vast majority of messages fall on deaf ears and are immediately discarded by savvy recipients who recognize them as scams.

 

This doesn’t bother the perpetrators of e-mail spoofing attacks because they’re playing a different type of numbers game — they’re counting on generating a large profit from each of the very small number of victims that respond to the scam messages. It only takes one unwitting victim to undermine the security of an entire organization. Just ask the Bucks!

 

What Happened?

 

On April 26, an employee in the Bucks front office received an e-mail that appeared to be from team president Peter Feigin. The e-mail requested sensitive financial information about team personnel and the employee, believing the request was legitimate, responded with copies of the W-2 statements for some or all team staff, including active players.

 

Unfortunately, as the culpable employee later found out, the message was not from Feigin but rather from an attacker seeking to gain personal information, likely for use in an identity theft operation. The Bucks discovered the theft of information almost three weeks later on May 16. In a press release, the Bucks stated:

 

“We take this incident, and the privacy and security of our employees, very seriously. We immediately launched an investigation, which is aggressive and ongoing. We quickly notified impacted individuals and are arranging for these individuals to have access to three years of credit monitoring and non-expiring identity restoration services.

 

“We have reported this incident to the IRS and the FBI, and will work with the authorities to continue our investigation and response to this incident. We believe this incident arose as a result of human error, and are providing additional privacy training to our staff and implementing additional preventative measures.”

 

The Bucks fall within the sweet spot of organizations most susceptible to these scams. They’re large enough that an unusual request might slip through the cracks because it’s not easy for an employee to poke his or her head into the president’s office and ask whether he really requested copies of employees’ W-2 statements.

 

At the same time, they’re small enough to lack many of the controls that would restrict employee access to large quantities of sensitive information, or block their transmission by unencrypted e-mail to an external recipient.

 

NBA players certainly make lucrative targets for identity theft, due to their relatively high net worth, but organizations of all types should be on guard against e-mail spoofing attacks. It’s hard to imagine an organization that doesn’t have at least a handful of highly compensated employees. Attackers also often reach beyond the ranks of the wealthy as well, exploiting the good credit of middle-class workers for personal gain.