The World Anti-Doping Agency has released details of the hack that led to the publishing of dozens of its private therapeutic use exemption records, as well as specifics of its own response to the breach.
The attack, which was perpetrated by the Fancy Bears’ Hacking Group, obtained data from an Anti-Doping Management System (ADAMS) built for the Rio 2016 Olympic Games. The system only contained data from athletes competing at the Olympics, according to a WADA statement released Wednesday. The hack did not spread into other WADA systems.
The most substantial revelation is that WADA found inconsistencies between some of the illicitly published data and its own ADAMS data, suggesting possible manipulation of the TUE documents by the hacking group.
WADA’s statement did not explain where those inconsistencies can be found, and was not immediately available for comment.
Hackers gained access to the system multiple times from August 25 to September 12, 2016 using credentials obtained from one an ADAMS user, according to the WADA statement. It released TUEs from Bradley Wiggins, Chris Froome, and Fabian Cancellara, among other pro cyclists and Olympic athletes.
Therapeutic Use Exemptions qualify as private medical information and are therefore rarely shared with the public, except with the approval of the athlete in question.
A security and forensic firm called FireEye inc. is conducting an investigation. As of Wednesday, that investigation was about 90% complete and has found no additional system compromises.
WADA warned ADAMS users to stay alert for additional phishing schemes. Phishing is a method of gaining login or other information illicitly by pretending to be a legitimate contact. WADA warned that some ADAMS users received suspicious emails supposedly from WADA Deputy Director General Rob Koehler that advises the users that WADA’s president wanted to speak with them regarding the hacks.
“To be clear, no such email was ever sent by the Deputy Director General. Please remain vigilant to such scams,” the WADA statement said.
WADA stated that it plans to increase ADAMS security. It will implement additional authentication controls and enhance its security logging and monitoring program.