Over 500,000 Referee and Sports accounts reportedly exposed in hack of ArbiterSports
By Adam Schwager
SoccerWire Contributor and Certified Referee
ArbiterSports, the leading platform used by colleges, high schools and youth sports organizations to manage and pay assignments of sports officials, suffered a malicious hack this past summer, according to several public reports and confirmed by SoccerWire through research of court records in multiple states.
The attack reportedly involved over 500,000 accounts and resulted in hackers obtaining “Account username and password, name, address, date of birth, email address, and Social Security number”.
The company claims they have paid the requested ransom to the attackers and received evidence they subsequently deleted the stolen data.
If you referee sports in the United States, odds are you have at some point had an account with ArbiterSports. If so, despite assurances from Arbiter they successfully agreed with their attackers to delete the data stolen in the attack, it is still highly recommended you take immediate action to protect yourself from identity theft and potential financial devastation, should the hack lead to criminals gaining access to your bank accounts.
According to a disclosure letter sent to Arbiter’s users, the breach occurred sometime in the week leading up to July 15, 2020, the date which company first noticed the hack. However, this exhaustive list of records published by the Indiana Attorney General’s office lists the date of the initial breach as June 3, 2020. It also reveals that a total of 539,309 accounts were accessed. Multiple filings and notifications confirm the hack resulted in the theft of “account username and password, name, address, date of birth, email address, and Social Security number” of the accounts listed.
They reportedly were able to identify and contact the unauthorized party, who demanded payment from Arbiter in exchange for the promise to delete the stolen files. According to information provided by Arbiter, they and the hackers eventually reached a ransom agreement, leading to Arbiter’s they had “obtained confirmation that the unauthorized party deleted the files.”
Despite the attack being confirmed to have occurred prior to July 15, and seemingly as far back as June 3, it wasn’t until August 24 that ArbiterSports reported a security breach to multiple states’ Attorney General’s offices, via their D.C.-based law firm BakerHostetler.
The community of referees effected, however, remain skeptical of the promise of a hacker to actually delete all data, especially given the amount of time elapsed between the breach and the so-called confirmation of deletion.
In a Medium post, professional programmer Keith Mukai lists all the missteps he believes Arbiter took that led to the data breach and all the errors Arbiter made in handling the situation. As of this writing, it appeared that Arbiter had only notified effected users in areas where they are required to do so by state law, and has done the bare minimum to promote their security breach online, even to those members who should certainly be aware that their social security number has been compromised.
While the post digs deeply into several security flaws Mukai believes should have been basic operating procedure in today’s world, it appears the simple standard of never emailing a password to a user was something still in practice at Arbiter as recently as 2016. While following discussions on several referee forums seems to confirm that practice was eventually fixed, the fact that this hack happened in 2020 points to the likelihood Arbiter – the largest processor of sports referee payments in the USA – did not go far enough to correct what appears to be a culture of insecurity.
Whether or not assignors should continue to use Arbiter after such an invasive and preventable breach of security is certainly a topic that is sure to be addressed over the coming weeks throughout the sports community in the United States. Either way, there are things soccer referees can do now in order to reduce the risk of becoming a victim as a result of this, or any other unauthorized disclosure of personal data.
STEP 1 – Change Your Passwords – Everywhere
In any security breach involving usernames, emails and passwords, unauthorized parties will generally try to copy and paste users’ email-password combination or username-password combination into a variety of websites, especially websites that save your payment information. While I have no proof that it was directly related to the Arbiter cyberattack, I recently had multiple accounts of mine that shared my Arbiter email and password hacked, including my Netflix. In every case, my profiles were deleted, my password and primary language had been changed, my plan was upgraded and my last reported login locations were from Ecuador and Venezuela. This is just one example of how hackers can find ways to exploit this information, so it is imperative that referees vigorously monitor bank statements and to make sure that all your accounts are protected.
STEP 2 – Sign Up for Complementary Identity Protection
When a breach of this scope occurs, especially when such sensitive data as social security numbers are involved, companies are required to give affected customers complimentary access to an identity protection software. In their letter to affected users, Arbiter laid out a process for users to get a one-year complimentary membership to Experian IdentityWorksSM Credit 3B.
If you were lucky enough to receive a letter from Arbiter, it should include an activation code for you to use to redeem your free membership. If you didn’t receive a letter, the best course of action would be to contact Arbiter directly, either via their hotline at (877) 296-5652 or email [email protected] to see if they will honor your request. While the sample letter includes a basic code, after testing we have determined that the code is a fake code for the sake of Arbiter reporting to California’s Attorney General’s office.
Affected users should also monitor their credit scores from the major reporting agencies. All citizens are entitled to a free check from the three credit bureaus once a year, which they can access by going to annualcreditreport.com. Due to financial strain put on many households during the pandemic, Equifax, Experian and TransUnion are offering free weekly online reports through April 2021. If you feel that your identity has been stolen as a result of the hack, immediately contact the Federal Trade Commission at ftc.gov/idtheft, or contact your state’s Attorney General’s office.
STEP 3 – Remove your data from Arbiter if possible
As Keith Mukai argued in his Medium piece linked above, a breach of this nature demonstrates a systematic failure by Arbiter to keep the information on their website secure. I personally haven’t used Arbiter in two years, so removing my information was not a problem for me, but if your referee assignor still uses Arbiter and the hack has not encouraged them to seek other methods of payouts, you should at a minimum change your Arbiter password to something you don’t use for any other accounts. This will at least protect you from getting hacked in other areas of the internet if a similar breach occurs again.
STEP 4 – Open a Receive-Only Bank Account for all your gig payment receipts
Another strategy overall in today’s gig economy is to maintain a free or low-cost bank account dedicated solely to receiving ACH payments. You can then set up automatic transfers from this account to your primary spending, savings, or investment accounts. This way, even if criminals do gain access to a bank account connected to Arbiter or any other payment source for your gigs, at least they won’t have gained access to your primary account.
By following these steps, you should hopefully be in a good position to mitigate any of the damage that Arbiter has caused through these links. If you wish to talk to Arbiter directly about the incident, the company has set up a toll-free hotline at (877) 296-5652 which can be reached on weekdays from 9 a.m. to 11 p.m. EDT or on the weekends from 11 a.m. to 8 p.m. EDT.