In recent months, the Polish Anti-Doping Agency (POLADA) has reportedly fallen victim to one of the most destructive cyber-attacks in the history of the Polish Internet. Hackers, likely backed by the services of a hostile state, allegedly broke into the agency’s infrastructure and stole sensitive data concerning Polish athletes. These details were then published online on August 6, 2024, causing a surge of outrage and concern among the public.
Scale of the Data Leak
The stolen data encompassed not just basic information such as names, addresses, phone numbers, and email addresses, but also information of a particularly significant nature. Amongst the leaked information were results from anti-doping tests, medical records, and documentation of investigations conducted by POLADA. This type of information is extremely sensitive, and its disclosure could have severe consequences for affected individuals.
The Agency’s First Statement
For a long time, POLADA avoided publicly commenting on the matter, meanwhile ensuring collaboration with appropriate institutions such as the police, CERT Polska (Computer Emergency Response Team), the Office for Personal Data Protection, and the Ministry of Digital Affairs. Finally, on Wednesday, the first official statement since the disclosure of the attack emerged on social media. In their statement, POLADA called for the halt of disseminating information discrediting Polish athletes, which had begun to appear in the public sphere. The agency resolutely labeled these as ‘fake news’, underlining that “none of the mentioned athletes had a positive result, and none of the presented dates correspond with the carried-out anti-doping checks.”
POLADA’s Lack of Swift Response
Unfortunately, POLADA’s response to the incident leaves a lot to be desired. The agency announced about the breach only after the data had already been published online, and their statement did not mention that the hackers also gained access to sensitive data. The information provided by the agency merely contained basic data, leading to justified doubts about POLADA’s full transparency.
Furthermore, the fact that the public was only informed about the incident almost 3.5 months later is a serious oversight. In accordance with GDPR, the data controller is obliged to report a personal data breach to the supervisory authority within 72 hours of its discovery, and also promptly inform the individuals whose data was breached if there is a high risk to their rights or freedoms.
Consequences of the Delayed Reaction
The lack of swift reaction on POLADA’s part could have significantly increased the effects of this breach. Swift action might have allowed for corrective measures and minimize the impacts of the leak, by enabling athletes to secure their data or change passwords for various services. In the face of such a serious violation, time is crucial – both for enhancing data security and for protecting the rights of those whose data has been infringed.
Source: https://managerplus.pl/polada-zlekcewazyla-cyberatak-zagrozone-dane-polskich-sportowcow-65901
