Skip to content
Naked Security Naked Security

Hacked Olympians’ doping docs may have been doctored post-theft

The World Anti-Doping Agency says that not all of the leaked data accurately reflects what it has in its own records.

On 13 September, a hacking group called Fancy Bears published stolen medical data from the World Anti-Doping Agency (WADA).

The data revealed the names of athletes allowed to take otherwise banned substances for medical reasons. The first data dump included details about athletes including US tennis superstars Serena and Venus Williams, along with Rio Olympic gold medalist gymnast Simone Biles.

A following dump included athletes such as rower Mahe Drysdale of New Zealand, who won gold medals in the Rio 2016 and London 2012 Olympics.

Other notables in what so far has been a series of 6 data dumps: Britain’s most decorated Olympian, Sir Bradley Wiggins; Mo Farah, the two-time double Olympic 5,000m and 10,000m champion; Britain’s most highly awarded Olympic winner, Laura Kenny (formerly Trott); Britain’s three-time Tour de France winner Chris Froome; and Spain’s Rafael Nadal.

Over the course of those 6 waves of data releases, Fancy Bears described itself as “an international hack team” that stands for “fair play and clean sport”.

But WADA is now saying that someone may have doctored the documents post-hack.

In an incident response published on Wednesday, WADA said that its technical and forensic team’s current assessment is that an intruder illegally accessed an account – known as ADAMS – used to store data on Rio 2016 athletes.

Multiple attacks happened between 25 August 2016 and 12 September 2016.

The credentials to break into ADAMS had been previously spear-phished out of targeted users of the account.

The doxxed athlete data corresponded with the data thefts that occurred between 25 August and 12 September.

But not all the data is accurate, WADA found:

WADA has determined that not all data released by Fancy Bear… accurately reflects ADAMS data. However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released.

The released data related to WADA’s Therapeutic Use Exemptions (TUEs): a process by which an athlete can obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition, including, for example, ashthma inhalers or Biles’ use of drugs for ADD.

Fancy Bears’ crime wasn’t done in the name of “fair play” or “sportsmanship,” WADA said. Rather, it was “a cheap shot at innocent athletes whose personal data has been exposed.”

WADA said that it’s changed its systems and procedures, introduced new IT measures, and advised all users of its data system following the attack.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!