phive2015 - stock.adobe.com

Tokyo 2020 hit by data breach

The user names and passwords of Tokyo 2020 ticket holders and event volunteers were reportedly compromised, but government official claims the data leak was not large

The user names and passwords of Tokyo 2020 Olympic Games ticket holders and event volunteers were reportedly leaked online, a Japanese government official said last week.

The official told Kyodo news agency on condition of anonymity that the stolen credentials could be used to log on to websites for volunteers and ticket holders, compromising personal data such as names, addresses and bank account numbers.

Claiming that the scale of the data leak was “not large”, the official said measures were taken to prevent further spread of the compromised data.

The Japanese government has been bracing itself for a greater intensity of attacks than those launched against the Rio and London games. Together with the Tokyo 2020 organising committee, it has conducted cyber security exercises, such as Cyber ​​Colosseum, to simulate potential attacks, both in cities and rural areas.

Earlier this year, it also trained 220 white hat hackers from Japanese ICT firms such as NTT and NEC in a security training programme developed by Japan’s National Institute of Information and Communications Technology.

Mihoko Matsubara, chief cyber security strategist at NTT, noted in a February 2021 report on Japan’s cyber security strategy for Tokyo 2020, that the coronavirus pandemic has complicated ways to secure the event both physically and virtually.

With over 90% of Tokyo 2020 organising committee members working from home to prevent Covid-19 infections, Matsubara said it was important to secure not only Tokyo 2020-related infrastructure such as electricity, transportation and venues, but also remote work environments.

The Olympics Games have always been targeted by threat actors looking to capitalise on the event. During London 2012, there were reportedly six major cyber attacks, including distributed denial of service attacks on power systems that lasted for 40 minutes. Hacktivists also made calls on social media to launch similar attacks at specific times.

At Rio 2016, the International Olympic Committee said it was under regular attack. Phishing emails were also sent to athletes in attempts to steal credentials that could be used to access a World Anti-Doping Agency database.

Read more about cyber security in APAC

Read more on Data breach incident management and recovery