The organizing committee for the Tokyo Olympic Games was hit with a data breach towards the end of last week.
Although the exact causes and extent of the breach are still being determined, sources have said it was likely due to a ‘malware infestation’.
What was leaked?
The data breach saw personal information relating to 170 security officials, all of whom, ironically, were involved in a drill that was geared towards preparing staff for cyber-attacks during the event. Japan’s national cybersecurity center was in charge of conducting the simulation.
Included in the leak were the names, company titles, and affiliations with over 90 organizations heavily involved in the planning and delivery of the Olympic Games, which is due to commence in under 50 days. The organizing body for the Paralympics was also impacted.
Reports also claim that the breach has affected several local government authorities, including those with responsibility for Tokyo and the Fukushima prefecture (the top-level administrative division in Japan after the national government).
Why did it happen?
The breach occurred, according to reports, because of an “unauthorized access to an information technology” built by Fujitsu Ltd, a communications technology company that provides both equipment and services.
The Olympic Committee breach is thought to be linked to a previous Fujitsu incident in late May relating to ProjectWEB, an information-sharing platform used by a number of major companies, bodies, and organizations in Japan. ProjectWEB was suspended in late May.
Fujitsu said data breaches had already been discovered in more than one arm of the Japanese government machine, including the Foreign Ministry, while also admitting that corporate clients had been affected. Roughly 76,000 email addresses of government officials, members of panels, and individuals in a variety of other positions have been compromised, as have “study materials on creating a digital government”.
The breach has been put down to a “malware infestation”, but there is still much to uncover regarding the precise nature of the breach and the full extent of the information that has been compromised.
Who has responded?
The cybersecurity center has so far decided not to comment on whether any of the compromised data was linked to the games, nor whether it had negatively impacted the day-to-day running of the entities involved.
The President of Fujitsu Ltd., Takahito Tokita, has apologized to the Olympic Minister Tamayo Marukawa for the breach.
Some commentators are worried that the Tokyo Olympics might be uniquely difficult to secure now, specifically because the hackers have the names and information of the individuals who are supposed to be ensuring the event is digitally secure.
A brief history of Olympics data breaches
As major events often are, the Olympics has a recent history of being targeted by hackers and malware, and it seems where it’s hosted doesn’t really make a difference.
The BBC reported that, in 2008, China was subject to around 12 million cyberattacks a day while the Beijing Olympics was on. Alerts had to be whittled down to just 90 critical alarms to cope with the demand.
At the London games in 2012, before the opening ceremony, many organizers thought there was a ‘realistic threat’ that systems could be hacked and things like lights could be turned off, which are of course integral for both safety and entertainment purposes. Overall, there were six major cyberattacks recorded at the London Olympics, all of which were thwarted.
In 2016, when Brazil was hosting the games in Rio, a months-long barrage of DDoS attacks was leveled at associated organizations and affiliates of the Olympics in the country.
The Winter Olympics have also been targeted, with domain controllers in South Korea’s data centers going down during the 2018 opening ceremony – everything from TVs in the stadium to the ticketing app being used for the event went down. Luckily, the country’s preparedness from such an attack meant it was minimally impactful.