Milwaukee Bucks Financial Data Breach — A Slam Dunk for Hackers

As a business owner, you might not have the massive payroll of an NBA professional basketball team. You are, however, just as vulnerable to having your financial data compromised, and the crooks don’t have to bypass your firewalls or figure out your security measures. They can, as the following example illustrates, simply fool your staff into giving out the information.

The Milwaukee Bucks Had to Go on Defense

As NBA franchises go, the team payroll for the Milwaukee Bucks, at nearly $70.6 million, isn’t the highest. It ranks 26th out of 30 teams, but its players are still well compensated, with the top salary at $8 million for a single season. All that information is readily available through a web search. But the financial data on each player’s IRS W-2 form — social security number, address, taxes withheld, etc. — is personal and confidential. That financial data in the hands of identity thieves could be used to do a lot of damage to those high-salaried athletes.

But, unfortunately, that is exactly what happened. It became a nightmare for the Milwaukee Bucks’ management on April 26, 2016. Someone posed as the team president in a scam email and convinced an employee to forward the team members’ individual W-2 forms for 2015. The breach remained undetected until May 16th. Bucks’ officials reacted quickly and got the IRS and FBI involved, and they also enrolled the affected players in ID theft restoration services.

A Classic Example of Social Engineering

The scammers in this case took advantage of the Bucks’ employee’s gullibility and eagerness to please, without having to involve a firewall, user data or password hack. Rather than picking up the telephone and verifying the request, the employee, with a few clicks and a punch of the “send” button, blithely handed over sensitive financial data, causing serious damage to the Bucks’ organization. Players’ representatives understandably were not amused and demanded Bucks’ officials outline a plan to prevent this from ever happening again. Team officials naturally promised to institute better security training for their employees.

Be Wary of Social Engineering Scams

What was a hard lesson for the Milwaukee Bucks should serve as a warning for every business owner. The Milwaukee Bucks were victimized by someone posing as an authority figure; however, other clever and insidious traps have been sprung by email attachments and other methods. Additional examples include:

Social Media

Facebook and LinkedIn, among other forms of social media, are marvelous cross-connectors for networking and promoting the company’s brand, but they also are, unfortunately, methods of indirect access by fraudsters to your company’s network. Scammers have found out names of CEOs and used that information to send fraudulent invoices or payment authorizations — in this instance, to the tune of millions.

The Old-Fashioned Phone Call

Scammers can also use an employee’s eagerness to please those in authority and use phone calls to collect information on security systems — or even to collect smaller pieces for a larger system breach. An employee’s response to “I’m sorry, but I seem to have misplaced my network password. Can you help?” should be obvious.

The “Poisoned Flash Drive”

Someone drops a malware infected flash drive in the company parking lot. A curious employee, wanting to be a good Samaritan and return the drive to its rightful owner, picks it up, plugs it in — and a malware payload is launched. (See this ZDNet piece for details.)

So the bottom line is that your weakest link can actually be the one you most depend upon: your staff. It’s about training and awareness. {company} is the trusted choice when it comes to staying ahead of the latest information cybersecurity, technology tips, tricks and news. Contact us at {phone} or send us an email at {email} for more information.