- Ransomware attack took place in February 2022
- Victims will be able to claim expenses if affected
The San Francisco 49ers will create an executive vice president of technology and a dedicated cybersecurity role as part of a settlement to a class action lawsuit relating to a cyberattack that exposed the personal information of more than 20,000 employees, officials, and fans.
The National Football League (NFL) franchise suffered a ransomware attack in February 2022, with the BlackByte collective claiming responsibility for the breach.
Typically, ransomware attacks infiltrate IT systems before encrypting data, with the perpetrators demanding a fee to decrypt the information for the victim. However, BlackByte is also known for selling data from its victims and also ‘leaked’ a subsection of data to as proof of its actions.
The plaintiffs argue that their personal information was exposed for a five day period but the 49ers failed to notify those affected until notifications were sent out more than six months later.
According to The Athletic, the National League Football (NFL) franchise will also implement “mandatory security training” for all employees, overhaul its procedures, and implement technical upgrades.
The settlement will also allow anyone involved in the data to breach to claim up to US$2,000 in expenses or up to US$7,500 in “extraordinary” expenses related to the breach of their data. Some of the plaintiffs claim their social security numbers had been sued on the dark web.
The 49ers told the publication it could not comment on ongoing litigation.
SportsPro says…
Sports teams and federations might be small businesses compared to large multinational corporations, but they are attractive targets for cybercriminals because they handle significant amounts of sensitive information to fans and command high profiles.
And, although there have been significant advances in IT and cybersecurity within the sports industry, many might lack sufficient protection or think they are unlikely to be targeted. Such a situation is untenable as sport becomes increasingly tech-reliant.
A cyberattack can have significant operational, reputational, and financial implications. Sports teams benefit from a deeper relationship with their fans than many businesses in other industries do with their customers, generating a higher degree of trust that means people are more willing to share data than they would be with a retailer.
Beyond that, compromised systems could halt ticket sales, prevent a stadium from opening its doors, or even see sensitive data related to player performance or recruitment fall into the hands of a malicious actor.
Such disruption is compounded by IBM reporting the average cost of a data breach increased by 2.6 per cent to US$4.35 million in 2022.
