The Indiana Pacers franchise, Pacers Sports & Entertainment (PSE), fell victim to a phishing attack which resulted in unauthorized gaining access to emails containing personal information related to a limited number of individuals.

The threat actors accessed emails containing  names, addresses, dates of birth, passport numbers, medical and/or health insurance information, driver’s license/state identification numbers, account numbers, credit/debit card numbers digital signatures, and/or usernames and passwords.

For a limited number of individuals, social security numbers were also compromised, according to the data privacy notice.  

Between October 15, 2018, and December 4, 2018, the threat actors accessed a limited number of accounts without authorization at varying times. The organization learned of the suspicious activity on November 16, 2018 and took steps to secure the affected email accounts and investigate the incident, with the assistance of third-party forensic experts.

PSE is notifying those who were affected and urges those who were affected to monitor account statements for suspicious activity.

“The Indiana attack took place last year – so perhaps the trend is for organizations to be late in reporting breaches,” Colin Bastable, CEO of Lucy Security said. “Reporting breaches is a difficult process in the US, as so many states have their own regulations to be complied with. Remediation is so much more expensive than prevention.”

Bastable noted that the attack appears to have lasted for six weeks which is a long time to have threat actors in your email systems, although it may have taken this long to assess the full extent of the intrusion or worse, investigators still don’t know how extensive the damage is. Furthermore, the costs of remediation increase the longer the delayed reaction while comparing the attack to another basketball team hit with a cyberattack earlier this year.

“The Atlanta Hawks website hack demonstrates the danger of ‘convenience’: the vulnerability appears to have come from integrating a third party solution, perhaps an accounting app or a reporting tool,” Bastable said. “Adding more moving parts to IT infrastructure in this way has a multiplier effect on cyber-insecurity.”

Jonathan Deveaux, head of enterprise data protection at comforte AG noted the differences in the attack against the Hawks.

“In contrast with the Atlanta Hawks, an outsider gained access to the inside through a website vulnerability,” Deveaux said. “The Pacers made the NBA playoffs, and the Hawks only won 35 percent of their games.  Besides being sports franchises, the other thing they have in common is being in danger to weaknesses and gaps in the data security chain.”

Deveaux added that Shifting priorities in data security to focus on protecting the data on the inside may help minimize the data criminals steal and said that organizations should look at data-centric security, which turns real credit card numbers to fakes, turns names to gibberish, and other sensitive data is de-identified.  

“We have now seen at least two hacking attacks targeting sports teams,” Dan Tuchler, CMO at SecurityFirst, said. “With the massive amount of money involved in professional sports, this is not surprising.”

Tuchler suggested further regulation may be needed to compel companies to keep private data secure to prevent similar incidents from occurring.