As most international revelers enjoyed the opening ceremony of the XXIII Olympic Winter Games in Pyeongchang, South Korea, an event much more sinister and newsworthy was occurring under the radar. Unbeknownst to most athletes proudly waving their nations’ flags, a Russian-based hacking group known as “Fancy Bear” had just initiated a widespread cyber-attack designed to disrupt the opening ceremony. The attack was incredibly effective, as hackers managed to knockout internet access and broadcasting systems, preventing many spectators from printing out their tickets to the event. The attack also caused blackouts for networks attempting to broadcast the opening ceremony over the web.
Most intelligence experts have concluded that the event was likely tied to the Olympic Committee’s “Russia-ban” following the doping scandal at the 2014 Sochi Winter Games in Russia. For those who have been tuning into the Winter Olympics this year, you will have likely noticed many Russian athletes are still competing in games. However, Russian athletes have been relegated to competing under the moniker “Olympic Athletes from Russia.” Their uniforms do not contain any Russian national emblems. When an athlete from Russia wins a gold medal, the Olympic melody is played instead of the Russian national anthem. As one can imagine, this has resulted in a great affront to the national pride of Russia. The cyber-attack from Fancy Bear was a retaliatory response to those sanctions.
“Traditional” cyber-attacks are often designed to extract sensitive data from an organization. The Fancy Bear attack did not. Based on preliminary reports, it is unlikely that this attack resulted in the leaking or disclosure of sensitive information, especially since such information was not stored on the systems Fancy Bear targeted. Instead, this attack was designed to achieve one purpose – create chaos. In this respect, the cyber-attack on the Olympics was immeasurably effective.
Attacks such as these are particularly worrisome from a cybersecurity perspective. Companies that maintain sensitive information are more likely to have well-established data privacy practices. Accordingly, these organizations know ahead of time that it is imperative to segregate their data, deploy firewalls, and maintain encryption mechanisms. The Winter Olympics probably thought that no one would attack them, but even what would seem like unusual and unlikely targets, such as the Winter Olympics, can lack the institutional safeguards to fend off these attacks.
Of course, large multinational organizations that already maintain sensitive information will always be a hot-target for cyber-criminals. However, the attack on the Winter Games indicates that we are now entering a new phase of cyber-security defense. Smaller low-profile businesses, non-profits, and others should view the Winter Games attack in Pyeongchang as their cue to reevaluate their data security controls and infrastructure.
A complete review of these controls should include an analysis by a legal practitioner to provide guidance on what legal standards apply, and what best practices to employ. In the United States, varying legal standards will apply depending upon the type of information that is being collected. Predictably, stronger data security standards apply to companies maintaining more sensitive information. For those companies who naively believe their failure to collect sensitive information protects them from being a target – take note. The Winter Olympics were still targeted despite not having any information that is worth stealing.
Jason Sarfati is a member of the International Association of Privacy Professionals (IAPP), the largest and most comprehensive global information privacy community. Jason holds the CIPP/US certification (Certified Information Privacy Professional / US concentration), which means that he is particularly well versed in the data privacy laws that govern the private sector in the United States. His practice focuses on advising clients how to comply with federal and state privacy laws governing the collection, use, retention, and disclosure of private or otherwise sensitive information. Jason also has broad experience in offering his clients transactional support in negotiating technology transactions with both private and public entities.