Hundreds of NFL Players’ Personal Information Exposed Via Unsecured Database
AP Photo/ Ron JenkinsTech00:21 05.10.2017(updated 03:21 05.10.2017) Get short URL
The personal contact information of nearly 1,200 NFL players, including free agent players and sports agents, wound up exposed in an unsecured, publicly accessible database, a cybersecurity company revealed Monday.
The information, accessed from an open Elasticsearch database hosted on a server for the NFL Players Association (NFLPA), included email addresses, mobile phone numbers and home addresses of players and agents.
It was discovered on September 26 by Bob Diachenko, the chief communications officer at cybersecurity company Kromtech Security, that roughly 1,133 NFL players and agents had their information exposed.
In total, the International Business Times reports that 1,262 email accounts belonging to both players and agents, including 75 email addresses linked to the NFLPA, were leaked. The outlet revealed that some of the emails contained information about adviser fee percentages.
The Times indicated that while not all information belonging to current players was leaked, several free agents, including Colin Kaepernick, Robert Griffin III and Darrelle Revis were affected.
Diachenko said in a statement Monday that “anybody with internet connection could have accessed the data,” adding that the incident is the “first data leak of NFL player data.”
Per the officials initial analysis, there technically was “no hacking” because the database “required no password or authentication.”
With the database now secured, the association has since alerted all affected parties to the incident.
“We have worked with cybersecurity experts at Microsoft and our database consultant to determine the extent of the improper access. We are confident that it was limited to a two-hour period last week,” the NFLPA wrote in an email, obtained by Forbes. “We want to emphasize that no information about you or your player’s Social Security Number or finances was in the data. Also, we are directly informing all players involved.”
“In addition to our work with Microsoft, we are engaging an independent firm to do a full review of all our cyber security measures,” the email concluded.
And yet, while the NFLPA says the exposure “was limited to a two-hour period,” Diachenko says otherwise. Evidence shows that the information was first compromised back in February 2017.
Citing a ransom note left by cyber criminals, Diachenko noted administrators were instructed eight months ago to place 0.1 Bitcoin, approx $429 at the time, into a Bitcoin wallet. The note gave officials 120 hours to meet their demands; if not, the information would have been released to the public.
The officials never responded and the apparently chill criminals reportedly were not true to their word.
The Elasticsearch database at the center of the issue is used to collect data for tracking and analyzing user activity on several NFL domains, according to Diachenko.