International Association of Athletics Federations (IAAF) president Seb Coe (pictured) has apologised following what the world governing body has described as a “cyber attack” which it believes has compromised athletes’ Therapeutic Use Exemption (TUE) applications stored on IAAF servers.
The IAAF said that unauthorised remote access to their network was noted in February, though the governing body does not know if the medical information was stolen. It believes the attack has compromised athletes’ Therapeutic Use Exemption (TUE) applications stored on IAAF servers.
Athletes who have applied for TUEs since 2012 have been contacted by the IAAF, the governing body added.
“Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential,” said Coe.
“They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation and work with the world’s best organisations to create as safe an environment as we can.”
The TUE process allows athletes to gain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition.
“The attack by FANCY BEAR, also known as APT28, was detected during a proactive investigation carried out by cyber incident response (CIR) firm Context Information Security, who were contacted by IAAF at the beginning of January to undertake a technical investigation across IAAF systems,” read an IAAF statement in part.
“The presence of unauthorised remote access to the IAAF network by the attackers was noted on 21 February, where meta data on athlete TUEs was collected from a file server and stored in a newly created file. It is not known if this information was subsequently stolen from the network, but it does give a strong indication of the attackers’ interest and intent, and shows they had access and means to obtain content from this file at will.
“Over the past month the IAAF has consulted the UK National Cyber Security Centre (NCSC) and the Agence Monégasque de Sécurité Numérique (Monaco AMSN) and worked with Context to carry out a complex remediation across all systems and servers in order to remove the attackers’ access to the network. This was carried out and completed over the weekend.”