Fifa hacked again as officials fear information has been illegally obtained

News by Rene Millman

Fifa officials have declined to say what information was stolen in a recent data breach, but a consortium of media outlets say they will publish stories based on leaked documents later this week.

The international football federation Fifa has admitted to a data breach of its IT systems earlier in the year.

According to a report in the New York Times, the sporting organisation was hacked for a second time this year. Officials fear that the hack may have led to a data breach.

The hack happened in March this year but it is not known what data was compromised.

The report said that a number of European media organisations plan to publish stories based in part on the internal documents as early as Friday. A group known as Football Leaks is thought to have obtained the documents.

It is thought that UEFA officials were targeted a part of a phishing attack, although evidence of an attack has not been found by the organisation.

In a statement to the media, Fifa said that it "condemns any attempts to compromise the confidentiality, integrity and availability of data in any organisation using unlawful practices".

"We are concerned by the fact that some information has been obtained illegally," it added.

Fifa told the BBC that after the hack in March, it took a number of measures to improve IT security, in order to protect employees. "It's an ongoing issue, which Fifa has to face just like countless organisations around the world who are all dealing with data security challenges," the statement added.

Rob Shapland, principal cyber-security consultant at Falanx Group, told SC Media UK that the hack on Fifa appears to have been a very common phishing attack that tricks users into entering their password into a fake version of a website that they recognise, such as Microsoft Outlook.

"Preventing such attacks requires a multi-level approach, using email defence software to filter out emails that have links masquerading as legitimate sites, combining this with awareness training for staff so they know what to look out for, and regular controlled phishing tests to educate staff on the types of tactics used by nation states and cyber-criminals," he said.

"Fifa may not have been using this approach due to cost or lack of knowledge on how to defend, or it's possible they just got unlucky and the email bypassed their filters and a staff member clicked the link."

Javvad Malik, security advocate at AlienVault, told SC that while details are unclear at this time as to the exact nature of the breach and targeted information, Fifa suspects legitimate credentials were obtained through phishing users.

"In such cases, raising awareness of the dangers of phishing to staff is the best first step. In addition, threat detection controls such as behavioural monitoring which can indicate when user activity deviates from the norm can be used to identify compromised accounts," he said.

Malik added that nation state actors are resourceful, and it creates an asymmetric playing field where the attackers often have the advantage of time to understand and work their way into an organisation.

"So, preventative measures may not always be effective. However, having strong detection controls in place can allow companies to identify where an attacker may have got in, and take the appropriate measures quickly to minimise the harm."

Earlier this month, the US Department of Justice and the FBI said that Russian military intelligence was responsible for a separate hack on Fifa in 2016. This resulted in evidence from anti-doping investigations and lab results being published. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events