In a data breach notification letter filed with multiple states across the US, the company said that despite detecting and blocking the hackers from encrypting its files, the intruders managed to steal a copy of its backups. This backup contained data from ArbiterGame, ArbiterOne, and ArbiterWorks — three of the web applications used by schools and sports leagues to assign and manage the schedules and training programs of referees and game officials. ArbiterSports said it paid the hackers to delete the stolen data — a database backup.
It is believed the data leak has impacted around 540,000 of its registered members, who are referees, leagues officials and school representatives.
The ransomware attack took place on July 15 this year, but has now been published in the notification letters.
ArbiterSports issued a statement which said the data backups contained sensitive information such as account usernames and passwords, as well as social security numbers and addresses.
The company said: “The passwords and Social Security numbers were encrypted in the file, but the unauthorised party was able to decrypt the data.”
READ MORE: North Korea hackers target cryptocurrency in horror global campaign
Arbiter was then forced to pay off the hackers to keep the information secure, but has not disclosed the amount paid.
After making the payment, the company reported it “obtained confirmation that the unauthorised party deleted the file”.
There is no guarantee the hackers have not copied the database before deleting the initial collection.
The company then told its users to change their passwords and offered them a years protection from Experian.
Mr Mukai also claimed in his post Arbiter’s proof of deletion “is not a thing” and the data remains a concern.
He said of the hackers claims they deleted the stolen data: “If (Arbiter) believe it, they’re fools.
“If they don’t believe it, they’re lying to us to make us think they’ve adequately cleaned up the mess.
“But they haven’t. Leaked data is a Pandora’s box; once released it can never be taken back.
“Our sensitive personal info is forever vulnerable out in the wild now.”
In May, another US firm payed off hackers after a ransomware attack.
Blackbaud, software and cloud hosting provider, reported it stopped a ransomware attack on users files, but still had to pay off the hackers as they obtained information about the company’s network.
It said: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Additional reporting from Grace MacRae