The names and Social Security Numbers of nearly 21,000 people got into the wrong hands, as the 49ers quietly acknowledged in notifications to those folks that their information was breached in a February ransomware attack against the team.
San Francisco 49ers fans likely felt they had a little quandary this week on the shock news that Jimmy Garoppolo was saying with the team, which certainly creates more drama at the quarterback position. But that is a mere trifling concern compared to what we’re learning today, via CNet, that nearly 21,000 people had their names and social security numbers exposed to hackers in a ransomware attack that occurred last February.
It is very unclear who the victims are, whether they be season ticket holders, 49ers organization employees, or just other people whose Social Security Numbers the team had on record for whatever reason. At the time of the ransomware attack in February, which we don’t know if they paid, the team said in a statement that “we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi's Stadium operations or ticket holders."
But the security blog Bleeping Computer has a very detailed writeup of what we know about the 49ers data breach. And frankly, we wouldn’t know anything about this if not for an obscure law in the state of Maine, some 3,000 miles away, that requires public disclosure of data breaches if they affect any Maine residents.
Bleeping Computer got ahold of that notification data. It states that 20,930 people had their names and Social Security Numbers exposed, and seven of them were Maine residents.
Bleeping Computer also obtained the notification letter the 49ers sent to the victims. (If you didn’t get one, you’re in the clear.) “We detected a network security incident involving our corporate IT network. We immediately activated our incident response plan, took measures to stop the access and launched an investigation,” the letter says. “We conducted a thorough review of these files to identify the individuals whose information was contained in the files and additional research to locate and verify the addresses for these individuals. We completed this process on August 9, 2022, and determined that some of your information was included in the files.”
The team is offering one year of free Experian credit monitoring and identity theft protection to the victims.
It’s frustrating that the 49ers organization is not being forthcoming about who was affected. But that might actually be the right call, revealing this might provide a blueprint for how other organizations could be nailed by similar ransomware attacks. And it could also expose methods being used to track and potentially prosecute the hackers, and the prosecution of those hackers is how we hope all this ends.