Irish Data Protection Commissioner investigating cyber attack that claimed player details from World Rugby
World Rugby has been forced to suspend one of its websites after the governing body was the target of a cyber attack that saw hackers obtain personal data from thousands of subscribers to one of their databases, The Sunday Telegraph can reveal.
It is understood that the hackers were able to access the first name, email address and encrypted passwords of thousands of users, including players, coaches and parents from across the world after the security breach on May 3.
It is not yet clear if it was a random attack to steal data or if World Rugby was deliberately targeted by one of the cyber espionage groups that has previously leaked confidential information from the websites of sporting bodies such as WADA and the IAAF.
The hackers targeted World Rugby’s training and education website, which is a platform for the grass-roots game to keep up to date with the latest drills to improve technique and offer advice for the prevention of injuries such as concussion.
World Rugby’s main website, including Rugby World Cup ticketing and fan data plus sensitive information around players’ disciplinary hearings, was not at risk from the attack.
World Rugby immediately took down the affected sites and denied access to databases when it detected the breach and brought in data and technology security experts to investigate the nature and scope of the incident and put in steps to prevent a similar attack.
As of yesterday, the training and education portal remained offline.
World Rugby also sent emails to the subscribers to warn them of the breach and reassure them that as the passwords were encrypted, there was no danger of them being breached.
Subscribers, however, were recommended to change their passwords when the site comes back online.
As World Rugby is based in Dublin, the governing body also informed the Irish Data Protection Commissioner’s office of the breach. The details of the attack emerged just days before the EU’s general data protection regulation comes into effect on May 25.
World Rugby could have faced a sanction from the Association of Data Protection Officers (ADPO) if the breach had occurred after that date. The ADPO will have the power to fine organisations up to €10 million (£8.82million) for data security breaches, depending on mitigating factors.
Sean Burnard, one of the subscribers who received the email alert, said he was alarmed by the breach. Burnard uses the portal to access the training drills and technique tips to help his sons improve their skills.
“At first my concern was that it was a spoof email but then it was confirmed that there had been a security breach,” he said.
“My biggest concern now is that I cannot access the website to change my password. There is no information of value on there but I am concerned that someone has access to my personal information.”
A World Rugby spokesman said the governing body regretted the breach and reassured subscribers to the training and education website that “all possible steps are being taken to protect subscriber data and prevent a repeat incident”.
“World Rugby can confirm that on the evening of May 3 it detected unauthorised access to the subscriber database linked to World Rugby’s training and education portal.
“There was no breach of the entirely separate www.worldrugby.org website or any other World Rugby digital platform.
“The affected database contains information relating to education and training history with World Rugby and the breach was isolated to subscriber first name, email address and encrypted (hashed) password.
“World Rugby contacted those potentially affected immediately, detailing the level of information that was accessed, and recommends that all passwords should be changed regularly in line with best security practice.
World Rugby is also working with the relevant regulators.
“World Rugby takes the protection of data extremely seriously and acted immediately to determine the nature and scope of the issue, investigate how this incident occurred and to take steps to prevent a repeat situation.
“As a precaution, World Rugby suspended access to the affected sites to run full diagnostics with area experts and the breach cause has been identified, isolated and remedied.”