The NBA (National Basketball Association) is notifying fans of a data breach after some of their personal information, “held” by a third-party newsletter service, was stolen.
The NBA is a global sports and media organization that operates five professional sports leagues, including the NBA, WNBA, Basketball Africa League, NBA G League, and NBA 2K League.
NBA programming and games are broadcast worldwide, in more than 215 countries and territories, in more than 50 languages.
In “Cybersecurity Incident Notice” emails sent to an unknown number of fans, the NBA says its systems were not hacked and the credentials of affected fans were not affected by this incident. However, some fans’ personal information was stolen.
“We recently learned that an unauthorized third party had gained access to and obtained a copy of your name and email address, which were held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA,” the NBA said.
“There is no indication that our systems, your username, password or any other information you have shared with us has been impacted.”
After being notified of the incident, the NBA is working with the third-party service provider as part of an ongoing investigation and has engaged the services of external cybersecurity experts to analyze the extent of the impact.
Fans warned to watch out for phishing attacks
The NBA has also warned that due to the sensitive nature of the data involved, there is an increased likelihood of data subjects being targeted by phishing attacks and various scams.
Concerned fans have been urged to remain vigilant when opening suspicious emails or communications that may appear to be from the NBA or its partners.
“Given the nature of the information, there may be an increased risk that you will receive ‘phishing’ emails from email accounts that appear to be affiliated with the NBA, or of being targeted by other so-called “social engineering” (when an individual seeks to induce the target to share confidential information or take action contrary to their own interests,” the NBA said.
The notification emails add that the NBA will never request fan account information, including usernames or passwords, via email.
Concerned fans are also urged to verify that emails received are sent from a legitimate “@nba.com” email address, verify that embedded links point to a trusted website, and never open attachments they don’t expect to receive.
An NBA spokesperson was unavailable for comment when contacted by BleepingComputer earlier today.