The World Anti-Doping Agency (WADA) confirms that a Russian cyber espionage group operator by the name of Tsar Team (APT28), also known as Fancy Bear, illegally gained access to WADA’s Anti-Doping Administration and Management System (ADAMS) database via an International Olympic Committee (IOC)-created account for the Rio 2016 Games. The group accessed athlete data, including confidential medical data -- such as Therapeutic Use Exemptions delivered by International Sports Federations (IFs) and National Anti-Doping Organizations (NADOs) -- related to the Rio Games; and, subsequently released some of the data in the public domain, accompanied by the threat that they will release more.
While it is an evolving situation, at present, we believe that access to ADAMS was obtained through spear phishing of email accounts; whereby, ADAMS passwords were obtained enabling access to ADAMS account information confined to the Rio 2016 Games. At present, we have no reason to believe that other ADAMS data has been compromised.
“WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act,” said Olivier Niggli, Director General, WADA. “We are reaching out to stakeholders, such as the IOC, IFs and NADOs, regarding the specific athletes impacted,” he continued.
“WADA condemns these ongoing cyber-attacks that are being carried out in an attempt to undermine WADA and the global anti-doping system,” said Niggli. “WADA has been informed by law enforcement authorities that these attacks are originating out of Russia,” he continued. “Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency’s independent McLaren Investigation Report,” Niggli continued.
WADA is taking this attack very seriously. The Agency extended its investigation with the relevant law enforcement authorities; is conducting internal and external security vulnerability checks; and, is taking the necessary measures to ensure that stakeholders securely manage ADAMS passwords and its usage.
This attack comes on the heels of the early August incident; whereby, Yuliya Stepanova’s password for ADAMS was illegally obtained, which allowed a perpetrator to access her account on ADAMS. Ms. Stepanova was the key whistleblower for WADA’s Independent Pound Commission that exposed widespread doping in Russian athletics.