Arbiter Sports Data Breach (2020)

ArbiterSports, the leading platform used by colleges, high schools and youth sports organizations to manage and pay assignments of sports officials, suffered a malicious hack this past summer, according to several public reports and confirmed by SoccerWire through research of court records in multiple states. The attack reportedly involved over 500,000 accounts and resulted in hackers obtaining “Account username and password, name, address, date of birth, email address, and Social Security number”. The company claims they have paid the requested ransom to the attackers and received evidence they subsequently deleted the stolen data. If you referee sports in the United States, odds are you have at some point had an account with ArbiterSports. If so, despite assurances from Arbiter they successfully agreed with their attackers to delete the data stolen in the attack, it is still highly recommended you take immediate action to protect yourself from identity theft and potential financial devastation, should the hack lead to criminals gaining access to your bank accounts. According to a disclosure letter sent to Arbiter’s users, the breach occurred sometime in the week leading up to July 15, 2020, the date which company first noticed the hack. However, this exhaustive list of records published by the Indiana Attorney General’s office lists the date of the initial breach as June 3, 2020. It also reveals that a total of 539,309 accounts were accessed. Multiple filings and notifications confirm the hack resulted in the theft of “account username and password, name, address, date of birth, email address, and Social Security number” of the accounts listed. They reportedly were able to identify and contact the unauthorized party, who demanded payment from Arbiter in exchange for the promise to delete the stolen files. According to information provided by Arbiter, they and the hackers eventually reached a ransom agreement, leading to Arbiter’s they had “obtained confirmation that the unauthorized party deleted the files.” Despite the attack being confirmed to have occurred prior to July 15, and seemingly as far back as June 3, it wasn’t until August 24 that ArbiterSports reported a security breach to multiple states’ Attorney General’s offices, via their D.C.-based law firm BakerHostetler. The community of referees effected, however, remain skeptical of the promise of a hacker to actually delete all data, especially given the amount of time elapsed between the breach and the so-called confirmation of deletion.