Tech

Indiana Pacers disclose security breach

Company behind Indiana Pacers and Indiana Fever said hackers breached employee accounts, stole personal data.

Written by Catalin Cimpanu, Contributor May 11, 2019 at 9:31 a.m. PT

Security

Pacers Sports & Entertainment (PSE), the legal entity behind the Indiana Pacers and the Indiana Fever NBA and WNBA basketball teams, respectively, announced a security breach on Friday during which hackers gained access to sensitive user information.

In a press release published yesterday, the company blamed the breach on a phishing campaign during which hackers managed to gain access to several PSE employee accounts.

It said hackers had access to these accounts between October 15, 2018, and December 4, 2018.

PSE is notifying customers now, but the company said it learned of the breach way back last year, on November 16, leaving many to ask themselves: What took so long?

"After a thorough review of these email accounts, PSE determined that a limited number of personal records were present in the affected emails," the company said.

Exposed information ranges wildly, and PSE said it might include name, address, date of birth, passport number, medical and/or health insurance information, driver's license/state identification number, account number, credit/debit card number, digital signature, username and password, and in some cases even Social Security numbers.

Is it employee or customer data?

As DataBreaches.net pointed out, PSE did not mention if this data belongs to PSE employees or PSE customers -- such as those who registered for the Pacers online shop to buy gear and memorabilia.

By the wide range of exposed information, at first sight, it may appear that it's both -- although, ZDNet reached out to PSE via email earlier today to clarify this issue in the company's confusing breach disclosure.

A phone number that potential victims can call and get more information about the incident and see if they are impacted is available on the Pacers website.

PSE also published information on how impacted individuals can protect themselves against fraud and identity theft. The company said it did not receive any reports that personal data has been misused.