The company associated with the Indiana Pacers – Pacers Sports & Entertainment (“PSE”) – issued a notice yesterday about a data security incident. Curious as to whether it impacted fans or employees, I skimmed it… only to be reminded yet again that our medical or health data can be breached in all kinds of settings.
The PSE notice indicates that there was a phishing incident that “may have affected certain personal information related to a limited number of individuals.”
PSE learned of suspicious email activity on or shortly before November 16, 2018, and their investigation subsequently revealed that an unknown actor or actors accessed a limited number of accounts between October 15 and December 4, 2018. But if they were able to lock out the attackers by early December, why did it take until now to make notification of this incident? Their notification states:
After a thorough review of these email accounts, PSE determined that a limited number of personal records were present in the affected emails. The organization then began diligently working to determine contact information for those individuals to notify them of the incident.
They do not disclose what a “limited number” of records or people actually means, but it appears that there was a lot of sensitive information potentially accessed and/or acquired by the attacker(s). According to their notification:
the information that may have been present in the emails may include: name, address, date of birth, passport number, medical and/or health insurance information, driver’s license/state identification number, account number, credit/debit card number, digital signature, and/or username and password. For a very small number of individuals, the data may also have included Social Security number.
So this was a high-risk situation in terms of having an attacker who had been accessing accounts with a wealth of information over a period of more than a month. The notification does not indicate whether the investigators confirmed whether data was actually exfiltrated or just accessed, but PSE is offering those affected credit monitoring services.
But if these individuals were employees of the Pacers’ organization, how difficult could it be for PSE to find contact information to notify them more quickly? Or were these email accounts storing very old data that might no longer be accurate on contact details?
You can read PSE’s full notice here.