While Olympians were vying for track-and-field medals in Rio de Janeiro last week, Brazilian hacktivist group AnonOpsBR was trying to secure its own victory. Last week on its Twitter profile (@anonopsbrazil), the group posted a Pastebin link to an apparent dump of employee contact data stolen from the Olympic Broadcasting Service (OBS).
OBS is the arm of the International Olympic Committee responsible for distributing official images of the Games. The attack may have been in response to the collapse of an OBS video camera Aug. 15 that injured bystanders in the Olympic Park, according to researchers at Tempest Threat Intelligence.
According to Tempest, the data dump did appear to include OBS employees' and freelancers' legitimate names, job titles, email addresses, and both mobile phone and landline numbers. "The data dump also contained some links to potentially sensitive PDF documents supposedly stored on the company's main website," said Tempest in a blog. The site was temporarily taken offline, "probably by the company itself," not attackers.
The compromise did not affect image generation or broadcast of the Olympic Games, say Tempest researchers, because the IT environment for OBS's field operations were segregated from its web presence. They believe the compromise was achieved via a SQL injection on the website, but this was unconfirmed.