09-Oct-2019

 

In an incident which took place in March 2018, some member emails and passwords were obtained by hackers in an automated hack of one element of our platform. Here is an overview of what happened and steps taken by Clubforce since to remedy the situation. 

What happened exactly?

Without getting too technical, an automated script managed to gain access to one element of our platform obtaining emails and passwords in the process. 

What data was obtained? 

Usernames (i.e. email addresses) and passwords for a significant number of club members were obtained. No financial data was obtained, nor is any financial data stored on the Clubforce system, making it virtually impossible for hackers to gain access to such data in an attack of this kind.

How did this go undetected for so long? 

Unfortunately such threats are so varied it is difficult to ensure 100% security. The incident happened despite robust security and monitoring by our own development team and external security experts and went undetected until September 2019. Our security systems have evolved significantly in the intervening period and we continue to review our approach to security in light of the latest threats and best practice protocols. 

Clubforce are not alone in experiencing such an attack, some of the world’s largest companies have been breached and according to the Irish Computer Society, over 50% of companies in Ireland have been breached at some point over the last 18 months. 

Were the exposed login credentials ever used? 

We have no evidence to indicate that the login credentials obtained were ever used, so updating passwords now should ensure that members are fully secure once again.

There is no evidence of a concentrated attack on our system and it is unlikely (although not impossible) that hackers would attempt to harvest personal data manually.

How has Clubforce responded? 

Technical Review

Clubforce has always treated club and member data with the utmost importance and has continually invested in security, both direct investment in our system and through consultation with globally-accredited specialists in the field. 

This year (prior to learning of the breach), we hired a new Chief Technology Officer (CTO) who is taking the lead on a complete architectural review and improvement program for our system. In tandem, we have worked with another external consultancy to rigorously test our security and as a result we continue to update our security protocols to counter evolving threats. 

Since learning about the breach, we have conducted a forensic security audit and made a number of additional security improvements. 

Communications

Clubforce immediately contacted the Data Protection Commissioner’s office and filed the necessary paperwork and have since informed the Garda Siochana. We continue to communicate with the DP’s office detailing a log of all activity and providing detailed technical reports of the incident and our response.  

On Friday 4th October 2019, we began notifying relevant Governing Bodies of sport and affected members of clubs via email. Club administrators were also notified through the club administration panel on our platform. 

Following that communication, we also notified all club administrators (who may not have received the original communication) on Wednesday, 9th October. 

Common Questions 

Your club may have questions or may have to field questions from members relating to this incident. Here are the most common questions we’ve heard since the announcement on Friday. 

Is this likely to happen again? 

The vulnerability has since been fixed and additional security measures are now in place. We have taken significant steps to ensure our data is secure over the last 12 months and continue to invest in this area. We cannot guarantee that it won’t re-occur but are taking all necessary steps to prevent such attacks in future and believe existing system monitoring will alert us to any potential threats, allowing us to respond immediately. 

What should I tell our members? 

If members have received the email, simply recommend that they update their password as soon as possible. If they have not received the email, the likelihood is that they are not affected but it is still good practice to routinely update passwords and not to use the same password for all online platforms. 

Members of our club were notified but we were not? 

It is possible that members of your club are also members of another club (or clubs) or have participated in club fundraising for another club via Clubforce. All affected clubs and members have been notified directly by Clubforce. 

What if a member wants their Clubforce records deleted?

Any member is entitled to request to access, modify or delete their personal data on Clubforce. If such a request is made to the club (as Data Controller), they must inform Clubforce (as Data Processor) in a timely manner and then Clubforce can take the necessary action. 

If club members make the request directly to Clubforce, we will be instructing them to notify the club (as Data Controller) to start the request and thereafter we will process the request on instruction from the club. 

Should the club consider using a different service for membership management? 

Clubs that consider using systems that don’t have the security resources or experience of a company like Clubforce run the risk of another incident (and a potentially more damaging one). If your club is considering other systems, we recommend you get a detailed overview of their network and system security and the experience of the personnel responsible for processing your club’s data. 

Clubforce has at all times acted in a transparent and legally compliant manner and will continue to act in the best interests of our customers and their members. 

Clubforce wishes to apologise for this incident and any inconvenience caused to clubs, volunteers and their members. We believe this incident has led us to even stronger security protocols and underpins the need for continuous investment in secure systems for amateur sports clubs, volunteers and members. 

If any club wishes to speak to someone at Clubforce regarding this matter, please fill in the form below and a member of our management team will arrange to call you. 

  • This field is for validation purposes and should be left unchanged.