The National Basketball Association (NBA) recently notified fans of the sport of a breach of data that may have involved their personal information. The data was being held by a third-party operator but was stolen in a cyberattack.

A well-established international basketball and media organisation, the NBA currently manages five different professional sports and e-sports leagues. These include the NBA, Basketball Africa League, WNBA, NBA G League, as well as the NBA 2K League. NBA games and programming is broadcasted across the globe, in more than 215 countries spanning around 50 different languages.

Declaration of a data breach

The NBA issued emails to an undisclosed number of sports fans marked: “Notice of Cybersecurity Incident”. In the emails, the basketball association states that its dedicated IT systems were not penetrated and that the impacted fans’ account credentials were not affected by the incident. However, it did confirm that some personal information belonging to fans had been stolen.

The NBA email comments:

“We recently became aware that an unauthorised third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA. There is no indication that our systems, your username, password, or any other information you have shared with us have been impacted.”

After the NBA was informed of the breach, it began an ongoing joint-investigation with the third-party service provider supported by an expert external cybersecurity service to analyse the scope of the incident and its impact.

It is essential that every organisation sharing customer data with a third-party provider adopts sufficient security measures such as data encryption. Any third-party operator hired must be audited to ensure they share the same level of security practices and stance on data protection.

NBA fans warned of potential phishing attacks incoming

The basketball association has also warned that due to the sensitive and confidential nature of the personal data involved, an increased likelihood exists that the impacted individuals may be targeted by phishing attacks and other scams.

As a result, affected fans are being strongly encouraged to stay vigilant when receiving suspicious emails and other communications that appear to originate from either the NBA or its preferred partners. Social engineering attacks are a common occurrence following a data breach, in which threat operators use the personal information stolen to create more believable communications that encourage victims to trust their requests.

The notification emails sent by the NBA confirm that it will never ask for account information belonging to fans via email such as passwords and usernames. As a result, if fans receive such correspondence, they will know it is a cybercriminal scheme.

Impacted fans of the sport are also advised to now verify that any emails they receive are sent from a genuine “@nba.com” email address and to always check that any links embedded point to an authentic website. Finally, they are recommended to never open attachments they are not expecting.