As it moves into the final stretch of its regular season, the National Basketball Association said over the weekend that "an unauthorized third party" netted a database filled with the names and email addresses of fans.
The data was housed by a newsletter service that it partners with, the NBA noted in a letter to those affected — an all-too-common instance of the risk that third-party vendors can represent for organizations if their security isn't properly vetted.
For the affected fans of the sport, they now have more to deal with than just handicapping the playoff picture. While account credentials, phone numbers, and other sensitive information were not included in the heist, they should still expect targeted email phishing attacks related to NBA topics, the NBA warned in the letter, which was tweeted out by one recipient. Those could include messages appearing to relate to office pools and other business-themed attacks.
"Even though the information did not contain much sensitive information, by using a name and email address, along with the knowledge that this individual has an interest in the NBA, social engineers could put together a much more appealing phishing attack than if they had none of this information," Erich Kron, security awareness advocate at KnowBe4, said in an emailed statement.