A data breach of the National Football League Players Association’s (“NFLPA”) website has exposed the personal information of nearly 1,200 players and agents.
Late last month, Kromtech Security Center, a German-based firm, identified a misconfigured online database on the NFLPA.com server that allowed hackers, or anyone else with internet access and the correct link, to access players’ and agents’ names, birth dates, addresses, cell phone numbers, and email addresses. It appears that other highly confidential information, such as social security numbers, was not accessible to the hackers.
Among those affected by the incident was Colin Kaepernick, former San Francisco 49ers quarterback who protested police brutality by kneeling during the national anthem. It has been reported that Kaepernick, now a free agent, has received death threats because of his protest.
By the time Kromtech discovered the misconfiguration, the database already had been compromised. Kromtech stated that hackers accessed the NFLPA’s database and left a ransom note on February 3, 2017. The ransom note demanded 0.1 Bitcoin - which amounts to approximately $427 - to unlock the database and threatened to publicly release the information accessed if payment was not received. On October 3, 2017, Forbes reported that the ransom had not been paid.
The online database, Elasticsearch, was used to collect information on user activity from various NFL-related domains, including NFLPA.com. Similar Elasticsearch attacks occurred earlier this year. Following the same modus operandi, hackers would remove data from the servers and replace it with ransom notes requesting Bitcoin payments.
Most of the players affected by the breach are current or recent free agents. The NFLPA has since notified those affected and secured the database.