The National Basketball Association (NBA) is warning fans of a data breach that leaked their personal information from a third-party newsletter service.
In a cybersecurity incident alert, the NBA said it discovered that an unauthorized party gained access and obtained fans’ personally identifiable information (PII) from the third-party service.
While most famous for the North American men’s basketball league, the NBA is a global sports and media organization managing several professional sports leagues, including the NBA, WNBA, NBA G League, NBA 2K League, and Basketball Africa League.
NBA’s newsletter service provider data breach exposed fans to phishing attacks.
The NBA said it activated internal incident response procedures and launched an investigation with external cybersecurity experts to analyze the data breach.
The professional basketball organization discovered that the threat actor accessed fans’ names and email addresses.
“We recently became aware that an unauthorized third party gained access to, and obtained a copy of your name and email address which was held by a third-party service provider that helps us communicate via email with fans who shared this information with the NBA,” the sports organization said in a data breach notification sent to the victims.
However, the NBA clarified that the data breach did not compromise its internal IT systems or expose the victims’ usernames, passwords, or any other information.
Nevertheless, the basic personally identifiable information exposed is sufficient for potential social engineering attacks. Subsequently, the NBA warned fans to be vigilant of potential phishing attacks when opening emails purporting to be from the sports body.
The NBA advised users to confirm that the emails purporting to be from the NBA originate from the official domain “@nba.com” and only include links from legitimate sources.
Additionally, the NBA explained that it would never request sensitive information such as social security numbers and credit cards via email. Similarly, the sports organization does not request account information such as emails and passwords.
The NBA did not name the breached third-party email marketing and newsletter service provider.
It is not uncommon for newsletter service providers to be a target due to the wealth of personal information across multiple organizations stored on their systems. In January 2023, Mailchimp recorded the third data breach in 12 months. Hackers also leveraged the newsletter service’s systems to send crypto-related phishing messages in April 2022.
However, the professional basketball association did not suggest that the data breach originated from Mailchimp.
Sports organizations at risk of cyber attacks
Sports organizations are attractive targets for cybercriminals. According to an Ipsos MORI survey commissioned by UK’s National Cyber Security Centre (NCSC), 70% of respondents have suffered a cyber incident or breach.
Because of the geopolitical impact of sports, nation-state actors are also interested in compromising sports organizations. In 2021, the Swedish government found that the Russian military intelligence agency GRU had hacked the Swedish Sports Confederation in 2017 and 2018.
However, Erich Kron, a security awareness advocate at KnowBe4, attributes the NBA data breach to an internal security faux pas instead of aggressive targeting by a sophisticated threat actor.
“This is an unfortunate instance of a vendor not securing information provided by an organization,” said Kron. “Unfortunately, this is all too common. However, in this case, limited information was made public.”
Nevertheless, he warned that the stolen information could aid attackers in crafting compelling phishing scams: “Even though the information did not contain much sensitive information, by using a name and email address, along with the knowledge that this individual has an interest in the NBA, social engineers could put together a much more appealing phishing attack than if they had none of this information.”
