Cyber Security

The Milwaukee Bucks Got Hacked, Here’s What Could Happen

Spear-phishing is on the rise and the Bucks' case could be a study in what happens when it hits the rich and famous

Cyber Security
Illustration: R. A. Di Ieso
May 20, 2016 at 4:47 PM ET

According to the Vertical, the Milwaukee Bucks were snookered by an increasingly common online scam: spear-phishing, where a hacker, posing as a CEO or other prominent member of a company, sends an email urgently requesting private information that is accessible by a low-level employee. In this instance, a thief pretending to be Bucks president Peter Feigin duped someone into forking over the entirety of the team’s 2015 IRS W-2 documents.

The Bucks have since reported the crime to both the FBI and the IRS, but one player’s agent described the breach as “unacceptable,” insisting that both his/her client and every other individual in the Bucks’ organization now vulnerable to identity theft, “know the exact measures being taken by the Bucks and the FBI to ensure each and every player’s identity and financial information will not be compromised. There needs to be accountability for such a mistake, details on the steps taken to rectify it and a process put in place to make sure this never happens again.”

That’s all well and good, but when it comes to the info currently in the possession of an alleged criminal—the “names, addresses, Social Security Numbers, rates of compensation and dates of birth”—the damage has already been done.

Vocativ spoke with Eva Velasquez, the president of the Identity Theft Resource Center, a nonprofit that works with victims of identity theft. When asked if notifying the IRS was enough to prevent someone from filing a false return on the behalf of any of the multimillionaires that dot the Bucks’ roster and collecting what’s sure to be a not insignificant refund, she said, “No.”

“I wish that it worked that way,” Velasquez continued. “This is a huge problem. It was the most reported type of identity theft to the Federal Trade Commission last year, and in every state it was the highest percentage … and unfortunately the IRS is running as fast as they can to create mechanisms in order to prevent that kind of fraud, but they have not been able to keep up.”

Velasquez explained that, five or six years ago, all that was needed to send a fake return was to swipe someone’s full name and Social Security number. The IRS put a system of fraud protection in place, such that if too much information differed from one year to the next, it’d set off the appropriate alarm bells.

Now, thieves need to get a fuller picture of who you are in order to pull off this crime, and as such, the information provided by W-2 forms are increasingly a prime target for hackers. As Kevin Collier wrote in April at this website, reported instances of spear phishing have “skyrocketed” over the last three years.

“While there is no publicly available, comprehensive government list of data breaches,” he wrote, “a combination of local media stories, data from independent researchers and information revealed due to certain states’ strong disclosure laws shows that more than 60 companies were affected in February and March alone.”

While the IRS is aware of the problem, Collier also reported that recent budgetary cuts and layoffs have made it all the more difficult to detect a falsified tax return, resulting in a plummeting number of convictions for identity theft by the agency. Seven former IRS commissioners were so worried they penned an open letter to Congress, in which they wrote, “None of us has ever witnessed anything like what has happened to the IRS appropriations over the last five years and the impact these appropriations reductions are having on our tax system.”

Velasquez added that while hackers don’t necessarily look to rip off individuals in as high a tax bracket as a professional athlete, this heist has the potential to pay off in a big way.

“These individuals that had their information compromised have much higher incomes and, assumedly, much higher credit scores,” she said. “The thieves will have the ability to secure, potentially, lines of credit or loans at a much higher dollar amount.”