Cyber Incident Victim: Pacers Sports & Entertainment
Date:
Oct 2018
Location:
United States of America
Summary
A phishing campaign compromised employee accounts at Pacers Sports & Entertainment, enabling unauthorized access to email systems over a multi-week period. The breach exposed a range of personal data potentially including names, addresses, Social Security numbers, medical information, financial details, and login credentials, though the organization did not specify whether affected individuals were employees, customers, or both. Discovery occurred months prior to public disclosure, with no reported misuse of the stolen information. The organization provided notification guidance and fraud protection resources to potentially impacted parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The security incident impacting Pacers Sports & Entertainment (PSE), parent company of the Indiana Pacers and Indiana Fever basketball teams, began with a phishing campaign that compromised several employee email accounts. Attackers gained unauthorized access to these accounts between October 15, 2018, and December 4, 2018. PSE discovered the breach on November 16, 2018, during this active intrusion window. Following discovery, the organization conducted a forensic review of the affected email accounts, which revealed the presence of personal records belonging to an undisclosed group of individuals. The compromised data included highly sensitive information such as full names, physical addresses, dates of birth, passport numbers, medical and health insurance details, driver's license or state identification numbers, financial account information, credit/debit card numbers, digital signatures, login credentials, and in certain cases, Social Security numbers. The scope of impacted individuals remained unclear as PSE did not specify whether the exposed data pertained to employees, customers who interacted with platforms like the Pacers online merchandise store, or other parties.
PSE delayed public notification of the breach until May 2019, approximately six months after concluding their investigation. The company established a dedicated telephone support line for individuals seeking confirmation about their potential involvement in the incident and published guidance on identity theft protection measures for confirmed victims. In their disclosure, PSE emphasized that they had received no evidence indicating misuse of the stolen personal information prior to the notification date. The organization attributed the attack solely to external threat actors exploiting phishing techniques to obtain employee account credentials, without providing additional details regarding the attacker's identity, motivations, or technical methodologies beyond the initial compromise vector. No information was disclosed regarding containment actions taken during the breach period between detection and access termination on December 4, 2018.