The World-Anti-Doping Agency (WADA) has been hit by a hacking group known as Fancy Bears, with the group releasing the sensitive private data of athletes online. Data concerning such superstars as Serena Williams has been leaked online, with WADA confirming both the hack and the perpetrators as the allegedly Russian hacking group.

Read CBR’s ‘Cyber Cold War: Unmasking the Russian Hacker’ here.

WADA confirmed that its Anti-Doping Administration and Management system had been breached via login credentials assigned to an International Olympic Committee-created account for Rio 2016. The usernames and passwords were obtained through effective spear phishing attacks, where legitimate users were tricked into handing over their logins.

The leaked data only pertains to data from Rio 2016, although some of the leaked documents seems to date from before the summer games. WADA confirmed that a number of confidential medial data had been stolen, which was confirmed in the leaked files.

Although this raises serious questions about state-sponsored hacking, businesses can learn some very vulnerable lessons from the attack on WADA. CBR talked to the experts to see what businesses need to know and what to do in order to protect against a mass breach and phishing attack in the future.

1. Any Buisness Can Get Hacked

Luke Brown at Digital Guardian said: 

“Threat actors target both the public and private sectors, and everyone, even a global sporting regulator, can be vulnerable to these style of attacks. To safeguard against spear-phishing, employees should be cautious of clicking embedded URLs or opening attachments in email.

For more advanced attacks, businesses should look to deploy software that can warn users when a program attempts to download a file from the Internet or write a file to disk. This will help organisations prevent such activities from happening in the background without users being aware. Prompts can also help train users to recognise and report attacks in progress.”

 

2. Fear Phishing

Wieland Alge at Barracuda Networks, said: 

“The most successful phishing attacks are those that impersonate a person, particularly if the recipient knows, or is expecting to hear from, that person, so initially those that have been targeted don’t even realise they’ve fallen victim.

“Spear phishing attacks are not particularly technical. For example, attackers often make subtle changes to the email address they use to send the spam from. This might include a spelling mistake or adding an extra character. Most people are trying to get things done quickly, so it really isn’t difficult to trick them. What’s clear is that the digital transformation of crime is running ahead of the digital transformation of most businesses. Because of this, many companies are vulnerable against a type of attack that does not only use technology, but a well-trained team of people.”

 

3. You Are Broken – Just Admit It

John Madelin, CEO at RelianceACSN said: 

“This Fancy Bear hack is a classic example of a well-executed spear phishing campaign used to dupe users into handing over their login details. It’s the latest in a long line of successful breaches carried out this year alone. But despite this, the industry refuses to recognise it is fundamentally broken. It’s simple economics, it costs far less for a hacker to breach companies’ walls than the worth of the data they’re targeting.

“Sensitive information like that held by WADA is part of the organisation’s critical data, and therefore needs to be completely secure. Key lessons to be taken away from this breach are that organisations need to educate employees and users on best practices to help prevent attacks like this in the future, and make the cost of breaching an organisation’s defences more than the data is worth to would-be hackers.”

 

4. Data Breaches Are Getting Personal

Jason Hart, CTO Data Protection at Gemalto said: 

“Regardless of your opinion on athletes and doping, the breach of the World Anti-Doping Agency’s (WADA) website is clearly an example of the changing face of data breaches and the rise of identity theft. According to Gemalto’s Breach Level Index, identity and personal data theft accounted for 64% of all data breaches in the first half of 2016. The main motivation for cybercriminals continues to move beyond financial theft to long-term identity theft. Data breaches are now more personal, as this WADA breach demonstrates, with the universe of risk exposure for people widening.”

 

5. Education, Education, Education

David Kennerley at Webroot said: 

“This attack demonstrates that the humble phishing scam continues to thrive as one of the most effective attack vectors, and is yet another example of the need for strong and continuous communication between organisations and their employees. User education should never be underestimated – it’s arguably the most cost-effective approach to improving the security posture of any organisation.

“Employees and users of an enterprise’s IT systems must be educated on the risks associated with phishing, with regular training and testing essential to ensure robust security. Fundamentally, organisations must realise that cybercriminals only need to find one hole in the defences to do serious damage, whereas security professionals have to secure against all eventualities, including phishing.”