Cyber Incident Victim: United States Olympic Committee

On November 18, 2016, the United States Olympic Committee (USOC) discovered that personal information of participants in its April 2016 "100-Days Out" event had been compromised due to a breach at an external government contractor. The contractor had managed security clearance processes for attendees requiring access to restricted areas during the event. An unauthorized individual infiltrated the contractor’s email account and subsequently posted a selection of stolen emails to a public website. One of these exposed emails contained sensitive attendee data submitted during the security vetting process. The USOC confirmed the compromised records included full names, dates of birth, physical addresses, telephone numbers, Social Security numbers, and passport details. The committee initiated an investigation upon identifying the breach but did not disclose how the attacker gained email access or the total number of affected individuals.

The USOC began notifying impacted attendees shortly after confirming the breach, advising them that their exposed information could heighten risks of identity theft and fraud. The organization did not specify whether the contractor’s systems beyond the email account were compromised or if other events were affected. No evidence suggested misuse of the data at the time of notification, though the public posting meant information remained accessible to malicious actors. The committee directed attendees to credit monitoring services but did not disclose remediation steps taken with the contractor or whether legal or regulatory actions followed. The incident underscored risks associated with third-party vendor security practices, particularly for organizations handling sensitive personal data for high-profile events.