Cyber Incident Victim: World Anti-Doping Agency
Date:
Sep 2016
Location:
Canada
Summary
The World Anti-Doping Agency confirmed a cyberattack by suspected Russian espionage group APT28 (Fancy Bear), which breached its confidential medical database and stole sensitive athlete information including Therapeutic Use Exemptions. The hack targeted high-profile athletes such as Serena Williams, Simone Biles, and Elena Delle Donne, exposing private medical records managed through its Adams system. Agency leadership condemned the intrusion as an attempt to undermine anti-doping efforts, while USADA's CEO characterized it as cyberbullying and cowardly behavior. The attackers, previously linked to breaches of US political organizations, compromised data released by international sports federations and national anti-doping bodies, though no additional system compromises were identified. This incident followed earlier unauthorized access to another athlete's personal account.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 14, 2016, the World Anti-Doping Agency (WADA) confirmed a cybersecurity breach in which attackers illegally accessed its Anti-Doping Administration and Management System (ADAMS). The intrusion was attributed to APT28, a hacking group also known as Fancy Bear, which WADA identified as a suspected Russian state-sponsored espionage operation. This group had previously been linked to cyberattacks against the U.S. political system and the Democratic National Committee earlier in 2016. The attackers exfiltrated confidential medical data of high-profile athletes, including tennis stars Serena and Venus Williams, Olympic gymnast Simone Biles, and basketball player Elena Delle Donne. The compromised records contained Therapeutic Use Exemptions (TUEs) – legally granted permissions for athletes to use otherwise prohibited substances for verified medical needs – issued by International Sports Federations and National Anti-Doping Organizations. WADA stated the breach specifically targeted athlete TUE data through individual ADAMS accounts, with no evidence suggesting broader system compromise beyond these targeted accesses.
The attack occurred weeks after a separate intrusion into the personal account of Russian whistleblower Yuliya Stepanova, though no direct connection between these incidents was explicitly stated. A website purportedly affiliated with the Anonymous collective surfaced around this time, claiming to expose doping-related information. WADA Director General Olivier Niggli publicly condemned the ADAMS breach as a deliberate attempt to undermine the agency's credibility and the global anti-doping system. Travis Tygart, CEO of the United States Anti-Doping Agency (USADA), denounced the hack as "cowardly and despicable," emphasizing the violation of athletes' privacy through the release of confidential medical information. While WADA confirmed the theft of athlete TUE records, it maintained that other ADAMS data remained secure. The incident highlighted vulnerabilities in anti-doping infrastructure and raised concerns about nation-state actors targeting international sports organizations to influence public perception regarding doping compliance.