Tokyo city skyline with Tokyo Tower and Tokyo Skytree in the distance showing data leak of Olympics ticket buyers

Japanese Official Says Data Leak Exposed Account Credentials of Olympics Ticket Buyers and Summer Games Volunteers

Login credentials of Tokyo Olympics ticket buyers were reportedly leaked on the internet, a government official speaking on condition of anonymity told Kyodo news.

Similarly, account credentials of Tokyo Paralympics ticket purchasers and the volunteers of the Summer Games have been leaked.

The data leak is among the string of setbacks plaguing the Tokyo event. Others include the resignation of the Japanese musician Keigo Oyamada. The artist resigned a few days ahead of the Tokyo 2020 opening ceremony after admitting to bullying and abusing disabled children.

About 10,000 domestic spectators were anticipated to attend various events, half of the venues’ capacity. Japan imposed a state of emergency in Tokyo and other hotspots and banned audiences at those arenas to curb the spread of the Coronavirus Delta variant.

Tokyo Olympics ticket data leak exposed buyers’ bank account information

The unnamed Japanese government official told Kyodo news that the data leak exposed login IDs and passwords of people who bought tickets on the Tokyo Olympics ticket portal. The leak also included names, addresses, and bank account information of ticket customers. The official attributed the data leak to unauthorized access of computers or smartphones. A cyber intelligence firm Dark Tracer also said on July 21 that classified documents related to the Tokyo 2020 Olympics games were posted online.

Although the information on the number of accounts affected was not available, the official said the data leak was not large. He also added that various mitigations had been implemented to prevent further compromise.

He also noted that the Tokyo 2020 organizing committee had launched an investigation into the data leak.

Tokyo Olympic organizers deny leaking Olympics tickets buyers’ data

The Tokyo 2020 International Communications Team spokesperson contradicted the Japanese government official.

He said that the committee had checked the system and confirmed that the data leak did not originate from the Tokyo 2020 ticketing system.

Additionally, he claimed that only a “very limited number of IDs” were affected based on the information provided by the Japanese government. He added that they had initiated the password reset process to mitigate the effects of the Olympics ticket buyers’ data leak.

Others corroborated the Olympics committee’s claims by suggesting that the leaked data was not directly exfiltrated from the official websites.

They argued that the Olympics ticket data circulating on the dark web was likely harvested from users infected with the Redline malware and other infostealers.

Dark Tracer’s CEO Louis Hur suggested that the Olympics ticket buyers’ and volunteers likely typed the leaked information into phishing websites mimicking the official websites.

“Cybersecurity threats against the Olympics are not without precedent, however, the Tokyo Olympics continue to be targeted repeatedly by bad actors,” Alexa Slinger, Identity Management Expert at OneLogin, said. “The attacks started with a series of phishing attempts in late 2020 when hackers attempted to lure users by impersonating Olympic staff.”

Warnings of cyber attacks targeting Tokyo Olympics

Earlier, the FBI had warned the Tokyo 2020 Summer Olympics partners and organizers about various attacks, including ransomware, DDoS, insider threats, phishing, and social engineering attacks targeting the Olympics data and infrastructure.

Highly targeted systems include ticketing, broadcasting, transport, hospitality, and security infrastructure.

Similarly, the UK government warned that the Russian military intelligence unit (GRU) was conducting cyber reconnaissance against the Tokyo Olympic officials, infrastructure, and sponsors.

However, organizers assured the public that appropriate cybersecurity measures were in place to prevent anticipated attacks. The country initiated an ethical hacking program intended to reinforce the country’s response against cyberattacks targeting the Olympics.

“Cybercriminals often capitalize on major world events, due to the breadth of information they can gather as well as the opportunity to increase their own notoriety, so it is no surprise we have already seen a credential leak from the summer Olympics,” says Ralph Pisani, president, Exabeam.

For example, Russian hackers hijacked Olympics servers using the Olympic Destroyer malware in the Pyeongchang cyberattack disguised by North Korea threat actors in 2018. Six Russian spies were charged in the United States following the security incident.

Similarly, the Fujitsu cyber attack exposed sensitive information, including the Tokyo 2020 Organizing Committee and various government departments’ data.

The incident exposed the names and business titles and professional affiliations of individuals from 90 organizations, including game sponsors, organizing committees, government ministries, and local governments managing various venues including Tokyo and Fukushima. It also exposed details of 170 people involved in security, probably allowing the hackers to access the information necessary for subsequent attacks.

Olympics organizers denied being the source of the #dataleak that exposed account credentials of ticket buyers and summer games volunteers. #cybersecurity #respectdataClick to Tweet

“Another day, another data leak, and this one couldn’t be more timely given the pending opening of the Olympics in just two days,” Uriel Maimon, senior director of emerging technologies at PerimeterX. “The logins and passwords posted from the Tokyo Olympic ticket portal can be used to steal funds or create synthetic identities, which could enable cybercriminals to apply for new accounts. That said, the damage of breaches is not only directly financial.”