Cyber Incident Victim: Special Olympics New York
Date:
Dec 2019
Location:
United States of America
Summary
A nonprofit organization's email server was compromised and used to send phishing emails to donors, falsely alerting recipients of imminent fraudulent transactions to induce urgency. The attackers embedded malicious links redirecting to fraudulent pages, though only contact information was accessed without financial data exposure. The breach was resolved promptly, with assurances provided regarding donor data protection. This incident occurred alongside similar cyberattacks targeting other Olympic organizing committees, which involved phishing campaigns and malware deployment aimed at disrupting operations or stealing credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2019, Special Olympics of New York experienced a security breach involving unauthorized access to its email server around the Christmas holiday period. Attackers compromised the nonprofit's communications system, which stored donor contact information but did not contain financial data. The intruders exploited this access to launch a phishing campaign targeting previous donors of the organization, which supports competitive athletic opportunities for individuals with intellectual disabilities. The fraudulent emails impersonated an alert about an impending donation transaction falsely claiming $1,942.49 would be automatically debited from recipients' accounts within two hours. This urgent timeframe was designed to pressure recipients into clicking embedded hyperlinks disguised as links to PDF transaction statements. The phishing messages included language urging recipients to review the transaction and contact the sender using a provided office extension number, with text stating: "It is not a mistake, i verified all twice." Technical analysis revealed the attackers used a Constant Contact tracking URL to redirect victims to a malicious landing page, which had been deactivated by the time of reporting but was assessed as likely designed to harvest credit card details.
Special Olympics New York responded by securing its email systems and notifying affected donors about the incident, explicitly stating the breach only involved contact information from their communications platform. Casey Vattimo, Senior Vice President of External Relations, confirmed the issue had been resolved and reassured donors they could safely resume donations. The organization's notification email apologized for the incident and emphasized confidentiality protections for contact details remained intact. As part of recovery efforts, Special Olympics NY promoted a donation-matching initiative through Finish Line, tripling contributions made by December 31. This incident occurred alongside broader cybersecurity threats targeting Olympic organizations, including a separate phishing campaign against Tokyo 2020 Summer Olympics staff that same year involving emails impersonating event organizers. Historical context referenced a February 2018 attack using Olympic Destroyer malware against Pyeongchang Winter Olympics infrastructure, which disrupted IT systems during the opening ceremony, and a prior PowerShell-based malware campaign targeting the same organizers.