A hacker recently breached the systems of USA Cycling and potentially compromised members’ personal information.
On Friday afternoon, USA Cycling, the official cycling organization recognized by the International Olympic Committee (IOC) and the United States Olympic Committee (USOC), warned that it had suffered a “data security incident”.
In an email sent out to its over 62,000 members USA Cycling said a breach of its IT systems may have exposed members’ names, mailing addresses, email addresses, dates of birth, emergency contact details, and passwords, reports Cyclocross.
VeloNews quoted a USA Cycling statement saying that it believed it had now secured its network:
“What we know of the incident is that a hacker gained access to at least some of our databases within the last two weeks. We have been in contact with the authorities, and have employed a leading cyber-security expert to advise us in this matter. We believe we have now secured all our systems and face no further data security risks. We are notifying you as soon as we were able to assess the situation and secure our systems.”
At this time, no financial information or highly sensitive personally identifiable information, such as Social Security Numbers, are believed to have been compromised in the attack.
A FAQ page hosted on the organization’s website provides more information on what happened and how people’s personal information might have been exposed.
Reading through the page, it’s clear USA Cycling could have done more to protect its members’ data, such as by storing their passwords in encrypted form.
Fortunately, it is owning up to its mistakes.
“We deeply regret that our member account passwords were not encrypted. We were aware of this need, and have been exploring fixing that data security vulnerability for the last several months. But the legacy IT system we have been operating on for the past decade or more makes the transition very difficult and costly. And because we are embarking on a total overhaul of our IT systems, which will include moving to encrypted data storage within the next several months, we chose not to invest in our current system and then promptly replace it with a new system. In hindsight, we regret that decision as we should have encrypted data on our old system with absolute urgency. We are very sorry for this mistake.”
Going forward, the organization intends to revamp its website and IT systems, which will include encrypting member passwords and security questions.
All members of the cycling organization are urged to be on the lookout for a password reset email. This email comes with a link that users can click on to change their passwords. (Not the best mode of recovery, to be sure. Password reset links are a common method employed by phishers, something which the organization itself acknowledges on its FAQ page.)
If you are a member of USA Cycling, please make sure that your new password is strong and unique. You should also change all of your current account credentials that might have used that same password.
Such caution ensures that even if your password is compromised, a bad actor won’t be able to run amok through all of your web accounts.
It's owning up to its mistake. Fine. But:
'But the legacy IT system we have been operating on for the past decade or more makes the transition very difficult and costly.'
Even two decades this shouldn't have been a problem. And it's a lot longer than that. It's known that many organisations don't encrypt passwords but to say it's because of a lack of technology or older infrastructure is at most half-truths and still inexcusable. But yes at least they are attempting to fix it and are admitting their failures (at least in part). That may be an encouraging thought.