World Athletics

The International Association of Athletics Federations, operating globally as World Athletics, serves as the international governing body for the sport of athletics. Its core mandate encompasses the establishment and enforcement of competition rules, the organization of premier global events including the World Athletics Championships, and the oversight of anti-doping programs worldwide. The federation regulates the sport across all continents, setting standards for athlete eligibility, competition integrity, and the administration of Therapeutic Use Exemptions (TUEs) for medical conditions. This regulatory role positions it as a central authority for a sport with a vast participant base, from elite professionals to grassroots competitors. A critical function involves managing highly sensitive personal and medical data submitted by athletes for TUE approvals, a responsibility that directly impacts athlete privacy and the sport's credibility. The organization's operational scope is inherently international, coordinating with over 200 national member federations and ensuring uniform application of its codes across diverse jurisdictions. Its headquarters in Monaco situates it within a hub for international sports governance.

The federation's handling of sensitive data and its high-profile regulatory status were starkly highlighted by a significant security incident on February 1, 2017. A sophisticated cyber attack, attributed to the Russian-linked Fancy Bear hacking group, resulted in the compromise of confidential athletes' medical records associated with TUE applications. The intrusion, detected by the security firm Context Information Security during a proactive investigation, demonstrated persistent access by the attackers to the organization's sensitive files. This breach directly targeted the very data the federation is entrusted to protect, exposing the medical information of numerous athletes and undermining trust in its data stewardship. The incident mirrored a pattern of previous Fancy Bear operations against other anti-doping and sports entities, underscoring the federation's vulnerability as a high-value target for state-sponsored actors seeking to discredit international sports institutions. Following the discovery, the IAAF notified affected athletes and issued a public apology, acknowledging a failure in its security protocols that allowed the prolonged, undetected access. The event serves as a documented case study in the cybersecurity challenges facing global sports regulators, particularly regarding the protection of athlete medical information and the integrity of anti-doping systems.