Cyber Incident Victim: ArbiterSports

In July 2020, ArbiterSports, the NCAA’s official software provider and a platform for managing sports officials across multiple leagues, experienced a ransomware attack. The company detected and blocked the attackers’ attempt to encrypt its local files, preventing operational disruption to its systems. However, the intruders successfully exfiltrated a backup database containing sensitive information from three web applications: ArbiterGame, ArbiterOne, and ArbiterWorks. These platforms were used by schools and sports organizations to coordinate referees’ schedules, assignments, and training programs. The stolen backup included registration details of approximately 540,000 individuals, comprising usernames, encrypted passwords, real names, physical addresses, dates of birth, email addresses, and encrypted Social Security numbers. Despite the encryption, the attackers decrypted both the passwords and Social Security numbers, exposing highly sensitive personal identifiers.

Following the failed encryption attempt, the hackers contacted ArbiterSports and demanded payment in exchange for deleting the stolen data. The company complied with the ransom demand and subsequently received confirmation that the unauthorized party had deleted the files. ArbiterSports disclosed these events in data breach notifications filed with multiple U.S. states, though it acknowledged no guarantee existed that the attackers had not retained copies of the data prior to deletion. Industry sources from the incident response community noted parallels with prior ransomware cases where stolen data persisted despite deletion assurances. The breach exposed referees and officials to potential identity theft and financial fraud risks due to the compromise of Social Security numbers and other personal information. The incident mirrored tactics observed in the 2020 Blackbaud breach, where another software vendor avoided file encryption but paid hackers to delete stolen data after exfiltration.