A ransomware attack on the national governing body for football in the Netherlands has led to the admission that it paid hackers to secure the safety of its stolen data.
The Royal Dutch Football Association (KNVB) confirmed that the Russian-language LockBit ransomware group successfully accessed its systems, stole personal data, and held that data to ransom in what is likely to be a showing of the group’s trademark double extortion tactics.
According to the KNVB, the personal data believed to be compromised in the attack belonged to a broad range of audiences, from youth players’ families to professionals.
Some footballers who played professionally in the 2016-2018 period may have had their name, address, salary, and signature details stolen by LockBit, for example.
People who were involved in disciplinary matters with the KNVB, such as sanctions, in the 21-year period between 1999 and 2020 may also have had their name, address, contact details, and other information found in their disciplinary files stolen by the ransomware actors. This could apply to players, coaches, and KNVB staff.
Parents and guardians of youth players who were transferred to overseas football clubs during the five-year period between 2014 and 2019 also may have had their KNVB ID and signature stolen.
The KNVB has attempted to contact those affected directly, but has admitted that it has been unable to reach everyone it believes to have been impacted.
Fox-IT was the incident responder called to help the KNVB investigate the attack, which was discovered on 1 April 2023. Experts were unable to conclusively identify what data had and hadn’t been stolen due to “only a limited number of digital traces” that were available to investigators.
Discover how organizations are defending against ransomware attacks today.
DOWNLOAD FOR FREE
“For the KNVB, preventing such a spread ultimately weighs more heavily than the principle of not allowing ourselves to be extorted,” the KNVB said in a blog post(translated).
“That is why agreements were made under expert guidance about non-publication and deletion of data. The KNVB will not provide any further information about the precise content of these agreements.
“The KNVB does not want to fall back completely on promises made by criminals. We therefore inform those involved whose data may have been stolen or accessed. This enables them to remain extra alert to any signals of misuse of their data.
“The KNVB deeply regrets this incident and apologizes to all involved for any inconvenience they may experience as a result.”
An industry-standard response
The transparent and straightforward public response to the incident from the KNVB is a rare admission of guilt in such a situation and one the business landscape very rarely sees.
It’s not often victims of ransomware in the corporate world are so candid about the nature of such attacks, and even rarer is it that victims so clearly and confidently admit to paying ransoms set by the cyber criminals.
Of course, paying ransoms is a highly common practice, despite guidance from national cyber security agencies vehemently pushing victims the other way. If it wasn’t, there would be no thriving ransomware market to speak about.
However, if any large organization were to freely admit to going against the received wisdom in the security industry, it would most likely be an organization like the KNVB, which doesn’t have to fear such an admission’s impact on its stock price or business partner relationships as much as a Fortune 500 firm, for example.
The openness of a cyber incident response, and the impact it has on companies in the long term has been debated for years.
Some would cite the famous case study of Norsk Hydro in 2019 as an example of ransomware incident response best practice. Speaking to ITPro in 2022, crisis PR expert Jack Myers said the company’s candor in its response to the incident could have bettered the firm’s reputation in the long run.
Norsk Hydro regularly updated a dedicated, well-advertised blog on its website, providing regular updates on the company’s recovery process. It appointed the CIO as the chief spokesperson on the incident rather than a PR team, showing how important the firm considered the matter to be.
There are widely held fears in the business world that admitting to the public that a company has succumbed to hackers causes reputational damage that would eventually lead to poorer business performance in the short and long term.
Myers pointed to British Airways’ breach in 2018 as an example of how trying to bury an incident can cause more harm than being entirely open about it from the start.
He said BA's approach, which involved trying to kill the story by saying as little as possible, ultimately backfired as a strategy and fed a negative news cycle for months after the attack as more details slowly leaked out.
