Tokyo 2020 ticket holder data leaked in cyber breach

Despite warnings and a heightened alert status for such occurrences, a Japanese government official has said that the personal data of Tokyo 2020 Olympic Games ticket holders and event volunteers have been leaked online.

The official apparently disclosed this information to Kyodo News agency on condition of anonymity, clarifying that the stolen data includes personal credential data like usernames and passwords which can be used to access Tokyo 2020 websites aimed for volunteers and ticket holders. As such, personal data such as names, addresses and bank account numbers linked with these credentials might have all been compromised.

The source claims, however, that this leak was “not large” in scale, and that measures were already being taken to limit the spread of compromised data. While this might be the first sizable data breach since the Olympic Games officially got underway, Tech Wire Asia did report that back in early June, the personal information of around 170 people linked to the Tokyo 2020 organizing committee was breached, via unauthorized access to an information-sharing tool developed by Fujitsu Ltd.

Fujitsu had been contracted to oversee clients’ computer systems, and had also been involved in the digital readiness of Japanese government agencies including the National Center of Incident Readiness and Strategy for Cybersecurity as well as the Foreign Ministry – both of which reported data breaches in May.

The Japanese government had been taking precautionary steps for some time now, following the prominent cyberattacks that beset previous editions of the summer Games, from Athens in 2004 to London in 2012 right up to Rio de Janeiro, Brazil in 2016. The country unveiled Japan’s Cybersecurity Strategy: From the Olympics to the Indo-Pacific national cybersecurity strategy, which included simulating potential cyberattacks in and out of urban centers, and training 220 white hat hackers to test their systems’ security and to spot vulnerabilities.

Major sporting events on the scale of Tokyo 2020 do not occur very often, but in the digital age have become frequent attack targets. While coordinated intrusions by hacktivists such as launching distributed denial of service (DDoS) to cripple power systems were identified at prior Games like London 2012, the Tokyo 2020 breaches illustrate how pervasive credential theft attacks have become.

Kaspersky released a report detailing how scammers will attempt to monetize viewers’ interest, Kaspersky experts analyzed Olympic-related phishing websites designed to steal users’ credentials, which included fake pages offering to stream various Olympic events, selling tickets for competitions that won’t have spectators, various giveaways, and even the first fake Olympic Games virtual currency.

The fake phishing pages are conduits for Tokyo 2020 account holders to input their personal logins, exposing their credential data to fraudsters. With so many social engineering attempts being made in past few months, it is plausible that the recent credential leaks are actually a series of isolated or coordinated data breaches, rather than a single incident.

“Cybercriminals always use popular sports events as bait for their attacks[…] Still, we observe that fraudsters have no limit when it comes to creating new ways to take advantage,” commented Olga Svistiunova, security expert at Kaspersky. “For example, this year, we discovered an interesting phishing page selling Olympic Games Official Token. There is no real equivalent of such thing, that means that cybercriminals are not only faking already existing baits but also come up with their own new sophisticated ideas.”