Breach of the World Anti-Doping database

PIPEDA Report of Findings #2018-006

February 7, 2018

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. On September 13, 2016 our Office became aware of a breach of the World Anti-Doping Agency’s (WADA) Anti-Doping Administration and Management System (ADAMS) following the public disclosure of athletes’ personal information, including their personal health information. Specifically, a group publically known as “Fancy Bear” disclosed on its website and elsewhere, the names of certain athletes who had competed in the 2016 Rio Olympic Games and their personal information which had been ex-filtrated from ADAMS.
2. Having been satisfied that there existed reasonable grounds to investigate this matter, the Privacy Commissioner of Canada commenced a Commissioner-initiated complaint on December 9, 2016, under subsection 11(2) of the Act. Specifically, the investigation focused on whether WADA had in place sufficient security safeguards to protect the personal information in its custody and control in accordance with Principles 4.7, 4.7.1, 4.7.2, and 4.7.3.

Summary of investigation

Jurisdiction

3. Part 1 of PIPEDA applies to WADA by virtue of subsection 4(1.1) and Schedule 4 of the Act, which together have the effect of making WADA’s collection, use and disclosure of personal information in the course of its interprovincial and international activities subject to the requirements of the Act. In this case, the personal information at issue is the information contained in WADA’s ADAMS database relating to athletes from around the world and which WADA collected as part of its anti-doping activities.
4. In reaching the conclusions set out in the report, our Office considered the following information:
   • Information our Office gathered and analysed from publicly available sources concerning the breach;
   • Documentation and representations provided by WADA;
   • Information obtained during a site visit at WADA’s headquarters which included interviews with WADA’s legal, administrative and technical personnel;
   • A demonstration and technical review of ADAMS; and
   • Information obtained from interviews with members of the International Olympic Committee (“IOC”).

Background

5. Established in 1999, WADA is an international and independent agency composed of, and funded by, sports organizations and governments of the world. WADA’s key activities include scientific research, education, development of anti-doping capacities, and monitoring of compliance with the World Anti-Doping Code (the “Code”).^{Footnote 1}
6. WADA is headquartered in Montreal, Quebec and manages the ADAMS database from that location.

ADAMS

7. In general terms, ADAMS is a clearing-house for anti-doping information that is managed by WADA as part of its oversight role of the anti-doping regime.
8. According to WADA, ADAMS was developed in order to coordinate anti-doping activities and to provide a mechanism to assist stakeholders with their implementation of the Code. Approximately 130 International Federations, more than 220 National Anti-Doping Organizations (ADOs), 35 laboratories and 20,000 athletes input and share data in ADAMS through its Web-based functionality. Although optional at one time, stakeholders with obligations under the Code are now required to submit certain information^{Footnote 2} via ADAMS.
9. ADAMS contains a significant amount of personal information about athletes owing to its four primary functions which include:
   • Athlete Whereabouts Platform – certain athletes^{Footnote 3} enter information about their location and stakeholders use this information for unannounced, out-of-competition testing.
   • Information Clearinghouse – storage of laboratory results, therapeutic use exemptions (TUEs) and anti-doping rule violations.
   • Doping Control Platform – ADOs and other stakeholders use ADAMS to plan, coordinate, order tests and manage test results. 
   • TUE Management – allows for management of TUE requests.
10. TUEs are exemptions that permit athletes to take substances that are otherwise prohibited in order to treat a medical illness or condition. The granting of TUEs is governed by the Code and forms an integral part of the anti-doping regime.
11. ADAMS is accessible via a web-based portal as well as a mobile application. At the time of the breach, users were only required to provide a username and password in order to access the system via the Web.

ADAMS accounts, controls and permissions

12. WADA oversees the ADAMS database and is responsible for regulating access to it and ensuring that the information it contains is safeguarded. Apart from its own employees, WADA does not directly grant users, such as athletes, access to ADAMS. Instead, WADA creates administrator accounts for ADOs, which in turn can create ADAMS accounts for both athlete and non-athlete users within its own organization.
13. When creating an administrator account for an ADO, WADA assigns permissions to the ADO to access various modules within ADAMS. The granting of permissions is intended to be based on the need-to-know principle and is related to the organization’s role in the anti-doping system.
14. The ADO uses the administrator account to create user accounts, create and assign login credentials for each user, and set the appropriate permissions for each user’s account. Administrator accounts do not have the ability to access athlete data in ADAMS per se, but they can create user accounts which do have rights to access data belong to athletes falling under the ADO’s authority.
15. ADOs that have administrator accounts are required to enter into an agreement with WADA regarding the use and sharing of information in ADAMS. As part of our investigation, we reviewed the agreement that WADA had in place with the IOC at the time of the breach. Among other things, the agreement specifies the circumstances for which the IOC can create user accounts, and imposes obligations on each party to safeguard personal information contained in ADAMS.
16. WADA has also implemented an International Standard for the Protection of Privacy and Personal Information (the Standard),^{Footnote 4} which all ADOs are required to comply with. Section 9.2 of the Standard requires ADOs to adopt “all necessary security safeguards… to prevent the loss, theft, or unauthorized access, destruction, use, modification or disclosure (including disclosures made via electronic networks) of Personal Information” that ADOs process as part of their anti-doping activities.
17. As the manager of the ADAMS database, WADA manages the security safeguards associated with the database. WADA indicates on its website that ADAMS’ multi-level access system protects the security and confidentiality of data and that it has a level of security typically used by financial institutions.^{Footnote 5}

IOC ADAMS accounts implicated in the breach

18. As will be detailed further below, the breach implicated two ADAMS accounts that were associated with the IOC. One was an administrator account (the IOC ADAMS administrator account) that had been created in 2009 by WADA for the IOC and which permitted the IOC to create sub-accounts with rights to ADAMS data. In general, the IOC was permitted through this account to create sub-accounts with access to certain data for all athletes competing at a particular Olympic Games. IOC’s access to this data in ADAMS was generally limited to the period during which the Olympic Games took place, although the IOC also had access to the test results for those athletes having participated in previous Olympics for a period of up to eight years, in accordance with the Code, for the purposes of re-testing. This account was managed by a single IOC employee who alone had access to the account.
19. The second ADAMS account implicated in the breach was created by the IOC in June 2016, in the lead-up to the Rio Olympic Games, for a WADA employee who had Independent Observer status^{Footnote 6} at the Games and therefore required access to the information necessary to monitor drug testing on athletes competing at the Games (the independent observer account). As part of the account creation process, the IOC sent the username and password for the account to the WADA employee in question by email. WADA confirmed that the WADA employee did not make significant use of the account during the period of the Games, as he already had a separate account that provided him access to ADAMS, and that he did not change the original credentials that had been emailed to him.

Events leading up to the breach

20. To provide proper context and possible motive for this breach, it is important to highlight the dramatic events which occurred in the lead-up to the 2016 Rio Olympic Games.
21. In July 2016, WADA released the findings of an independent investigation which confirmed certain allegations of Russian State manipulation of the doping control process at the 2014 Sochi Winter Olympic Games.^{Footnote 7} Russian whistleblowers had alleged state involvement in a massive doping operation in Russia, something that Russia has vehemently denied.
22. Subsequently, WADA publicly recommended that the IOC and the International Paralympic Committee (IPC) ban all Russian athletes from competing at the 2016 Rio Olympics and Paralympics.
23. The IOC, on July 24, 2016, announced that it would not implement a blanket ban on Russian athlete involvement in the Rio Olympic Games but will leave the decision to individual sport federations. The IPC, for their part, suspended the Russian Paralympic Committee, forbidding its athletes from competing in the Paralympic Games.^{Footnote 8}
24. The 2016 Rio Olympic Games took place from August 5 until August 21, 2016 and 118 Russian athletes were banned from competing.

Details regarding the data breach

25. On August 4, 2016, WADA was the subject of a spear-phishing^{Footnote 9} campaign in which emails were directed at WADA employees purportedly from WADA’s Chief Technology Officer. WADA confirmed that as a result of this campaign, three of its employees’ email accounts were compromised, including the employee to whom the independent observer account had been assigned.
26. While WADA cut off access to the email accounts within hours of becoming aware of the spear-phishing attack it confirmed that the attackers had nevertheless been able to access emails stored in the accounts for a period of 31, 40 and 72 minutes for the three accounts respectively.
27. Beginning on August 8 and continuing for several days, there were concerted efforts by the attackers who employed application exploitation methods to gain access to ADAMS. According to WADA, these attacks were unsuccessful.
28. On August 9, WADA posted a message on the ADAMS bulletin board, warning users of illegitimate emails that looked as if they came from WADA and advising them not to click on any links contained in the emails. Similar messages were posted by WADA on the bulletin board, which is accessible to all ADAMS users, over the next several days.
29. On August 10, WADA became aware that the ADAMS account of an athlete had been compromised. WADA immediately shut down the account and advised the affected athlete who informed WADA that their personal email account had been hacked.
30. On August 19, 2016, WADA changed the complexity requirement for ADAMS passwords and required all users to change their passwords to meet the new requirements.
31. On August 25, 2016, the attackers gained access to the above referenced ADAMS independent observer account using legitimate credentials. The attackers changed the password for the account and then began using it to access information contained in the ADAMS account over the course of the next several days.
32. On September 6, 2016, the attackers also gained access to the IOC ADAMS administrator account following a successful password reset of that account. The attackers used the IOC ADAMS administrator account to create an additional administrator account, which was then used to create a sub-account that was used to access information in ADAMS.
33. According to WADA, it was not until September 12, 2016 that WADA first became aware that two additional ADAMS accounts had been compromised (i.e., beyond the athlete’s account mentioned above), following the online publishing of personal information belonging to certain athletes via the Fancy Bear website. As mentioned earlier, those accounts belonged to the employee at the IOC who had administrator access and the WADA employee who had Independent Observer status at the Olympics.
34. A subsequent review by WADA of its logs indicated that the attacker generated thousands of requests to view data during the period of the breach, likely by using automation tools. Neither the WADA employee nor the IOC employee accessed the affected ADAMS accounts during the breach, and were unaware that their passwords had been changed.

The personal information affected in the data breach

35. Over a span of three weeks, beginning on September 12, 2016, the attackers published 6 batches of personal information belonging to 127 athletes of different nationalities who had competed in the Rio Games. The information consisted of TUEs, Test Reports and Adverse Analytical Findings. Adverse Analytical Findings indicate the presence of prohibited substances or methods in a particular sample.^{Footnote 10}
36. In addition to the names of athletes, nationalities, dates of birth, gender and sport, the information published also included such sensitive personal information as the prohibited substance or medication the athlete was prescribed in accordance with a TUE and in some instances, the underlying medical condition or illness supporting the TUE.
37. However, given the functionalities and permissions of the ADAMS accounts which were breached, the likely use of automation tools and the substantial number of logged activities and events pertaining to the attackers, it is possible that the personal information which was compromised involves information that goes beyond that which was published.
38. We note in this regard that the attackers had the ability to access different modules within ADAMS accessible to the IOC for the purposes of overseeing doping control at the Rio Olympic Games. The information accessible to the attackers besides TUEs and Test Results (which include Negative, Atypical and Adverse Analytical Findings), also include Doping Control Forms, whereabouts information and Anti-Doping Rule Violations and Sanctions. While the sub-account created by the attackers had an ADAMS business role associated with Athlete Biological Passports^{Footnote 11}, WADA assured our Office that the sub-account would have required additional permissions to truly access that information. Since the IOC did not have the required permissions in ADAMS, the attackers were not able to access any Athlete Biological Passports.
39. In total, WADA indicated that 11,837 athletes’ information was rendered accessible to the attackers. However, we note that the IOC also retains access to doping control testing results for the duration of the period under the Code requiring the retention and re-testing where appropriate of biomaterial provided by athletes competing in previous Games. As such, the possibility remains that the attackers could have gained access to information belonging to athletes who had been tested at previous Games, as far back as 2010.
40. The attackers also published dozens of emails which had been ex-filtrated from WADA employees’ email accounts, some of which contained sensitive personal information including positive doping test results of athletes. The attackers refer to themselves as “Fancy Bears” on their website, describing themselves as an “international hack team.”

Actions by WADA following the breach

41. WADA issued a press release on September 13, 2016 confirming the breach of ADAMS and stated that it “extended its investigation with the relevant law enforcement authorities, is conducting internal and external security vulnerability checks, and is taking the necessary measures to ensure that stakeholders securely manage ADAMS passwords and its usage.” WADA also separately notified all athletes whose information was published online and their ADOs.
42. Upon learning of the intrusion into ADAMS, WADA took a number of preventative and/or remedial steps to enhance its security safeguards. These steps included: (i) deactivating the IOC’s ADAMS accounts, (ii) disabling the “forgot password” feature, (iii) increasing its logging and monitoring capabilities of ADAMS, (iv) deactivating dormant accounts and (v) implementing stronger authentication through use of personal verification questions.
43. WADA engaged a forensic cybersecurity firm to investigate the breach. As a result, WADA was able to determine that the attackers successfully accessed ADAMS via the independent observer and IOC administrator accounts.
44. WADA also made follow-up enquiries to the IOC to determine the cause of the breach to the IOC ADAMS administrator account. The IOC indicated that it shared verbally the results of its own forensic investigation with WADA, but that a planned meeting to further discuss the breach never took place. WADA, for its part, requested further information in writing from IOC, which appears to have not been provided. During our investigation, both organizations were in discussions with a view to re-establishing IOC’s access to ADAMS before the 2018 Winter Olympics in PyeongChang, South Korea. Prior to the conclusion of our investigation, WADA re-established the IOC’s access to ADAMS.

The likely vectors for the breach

45. Although it is not possible to say with certainty how the attackers were able to access the ADAMS independent observer and IOC administrator accounts, the evidence suggests this was done by first compromising the email accounts of the WADA and IOC employees to whom the two ADAMS accounts were assigned.
46. In the case of the WADA employee, WADA confirmed that the employee’s email account was compromised through the spear phishing campaign. WADA also confirmed that the email account contained an email with the log-in credentials to the independent observer account that had been sent to him when the account was created. WADA maintained that it was unlikely that the attackers were able to access this information, since it was stored in an email sub-folder and the account was compromised only for a limited period of time. However, even with WADA’s relatively quick action this possibility cannot be ruled out given the length of time during which the attackers had access to the account.
47. It also appears that the IOC ADAMS administrator account holder’s email account was compromised as well. In this regard we note that the attackers were able to use the ADAMS password reset function to reset the password to the IOC ADAMS administrator’s account which prompted a new password to be sent by email. The IOC confirmed that an email containing the new password was found in the IOC employee’s email account’s delete folder, and that the IOC employee did not recall seeing the email or placing it in this folder. The IOC cannot explain how this occurred, however, it denies reports of a spear phishing campaign targeting its organization at the time or that there was evidence that its employee’s email account was compromised. We note that the log-in credentials to the independent observer account were potentially also in this email account’s sent folder.
48. Regardless of the exact means by which the credentials were obtained, the fact remains that the attackers were able to access the ADAMS accounts simply by using usernames and passwords (i.e., there was no additional verification required in order to access the accounts).

Application

49. In making our determinations, we applied Principles 4.1.4, 4.7, 4.7.1, 4.7.2 and 4.7.3.
50. Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles in Schedule 1 to PIPEDA, including:
    1. implementing procedures to protect personal information;
    2. establishing procedures to receive and respond to complaints and inquiries;
    3. training staff and communicating to staff information about the organization’s policies and practices; and
    4. developing information to explain the organization’s policies and procedures.
51. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Under Principle 4.7.1, the security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format.
52. Principle 4.7.2 states that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, the distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
53. Under Principle 4.7.3, the methods of protection should include:
    1. physical measures, for example, locked filing cabinets and restricted access to offices;
    2. organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
    3. technological measures, for example, the use of passwords and encryption.

Findings

Safeguards

54. In determining the appropriate level of safeguards, one must ascertain the sensitivity of the information at issue. For PIPEDA, a meaningful assessment of the required level of safeguards must be context based, commensurate with the sensitivity of the data, the foreseeable risks at hand and informed by the potential risk of harm to individuals from unauthorized access, disclosure, copying, use or modification of the information.
55. There can be no argument that much of the personal information contained in ADAMS is highly sensitive. The information consists of personal health information in the form of medical conditions, medications and prescriptions, analyses of bodily samples and specimens and even genetic information outlined in an athlete’s biological passport. In addition, ADAMS also contains anti-doping rule violations and whereabouts information.
56. The potential harms associated with the breach of this information are substantial and multi-fold. Unauthorized access and disclosure of certain personal health information can cause stigmatization, discrimination and psychological harm to individuals. The release of adverse analytical findings which, for legitimate reasons, have not otherwise been made public can cause embarrassment and shame to athletes, greatly impacting their reputation, image and personal and professional livelihoods.^{Footnote 12} In this regard, we note that WADA acknowledged in its press release that this breach “will be very distressing for the athletes that have been targeted; and, cause apprehension for all athletes that were involved in the Rio 2016 Olympic Games.”^{Footnote 13}
57. Certain athletes whose medical information was leaked online publicly explained their circumstances in an effort to defend their reputation. Even whereabouts information, which pinpoints the precise time an individual is at a given location, can impact an individual’s health and security.
58. The potential reputational impact of the compromise of such personal information is also far-reaching, and can extend past individual athletes, to the Olympic movement itself, and the countries and teams that participate therein to the extent that it seeks to undermine the integrity of the anti-doping system.
59. WADA’s role as an anti-doping watchdog in which it makes decisions which can negatively impact athletes and the countries they represent makes it likely that it will be a high-value target for attacks. The attack leading to the WADA breach was, in our view, highly sophisticated in both its planning and execution. The nature of such an attack does not point to a single operator, but rather, a concerted, well-resourced, and multi-person effort including the use of automation tools. We note that certain reports have suggested that the Fancy Bear group is linked to state-involved hacking efforts.^{Footnote 14}
60. All this suggests that WADA must ensure that in designing its safeguards, WADA must take into account the value of the information it holds to those actors who may seek to acquire it through nefarious means and the prospect that it will continue to be the target of sophisticated attacks.
61. Furthermore, ADAMS stores and processes enormous amounts of sensitive data about individuals, information which the Code requires athletes to furnish to the anti-doping movement. As such, ensuring that ADAMS has adequate safeguards and protections in place is imperative to ensuring the continued confidence and trust of those involved in organized sport, the Olympic movement and the integrity of the anti-doping system.
62. Finally, the very nature of ADAMS as a database which is accessible to stakeholders from around the world through a public-facing Web-based interface heightens both the opportunity and risk of unauthorized access.
63. For the above-stated reasons, the level of security safeguards employed by WADA should be commensurately high in accordance with Principles 4.7 and 4.7.2.
64. While WADA had in place a number of technological, physical and organizational safeguards, not all were sufficiently robust or at a level which we would have expected of an organization which holds such highly sensitive information. These concerns which either directly or indirectly impacted on the unauthorized access and disclosure of personal information during this breach and the negative impacts that ensued, involve the following areas: (i) access controls, (ii) monitoring and logging, (iii) policies, procedures and training; and (iv) encryption.

Access controls

65. While ADAMS was created to allow for tiered access, certain access controls were demonstrably sub-par. Password management is a key concern. In particular, password resets for new accounts was not an obligatory practice. While WADA stated that it encouraged organizations that had administrator accounts to require forced password resets when creating new user accounts, the practice was not mandatory and the decision ultimately rested with administrators who would need to manually check a password reset box when setting up a new account. New passwords were also not set to expire after a certain period of time. As a result, it was possible that when administrators emailed users their credentials, valid credentials for multiple users could sit in email accounts indefinitely (either in an inbox or in a sent email folder). In the circumstances, this appears to have been a likely vector for the breach, at least with respect to the independent observer account.
66. WADA also did not employ a robust authentication mechanism such as two-factor authentication. Two-factor authentication generally requires a user to provide something from two of the following three categories: something you know, such as a password, something you have, such as a token, and something you are, such as biometric data.^{Footnote 15} Given the sensitivity of the information at issue and that ADAMS was accessible via a publicly-facing web interface requiring only one-factor authentication such as the use of a simple password to access accounts is, in our view, insufficient. This authentication shortcoming had also already been noted by Datatilsynet, the Norwegian Data Protection Authority, who had similarly expressed concern over the lack of two-factor authentication for access to ADAMS.^{Footnote 16}
67. In the circumstances, the attackers were able to gain access to the independent observer account through the use of legitimate login credentials, credentials which appear to have been obtained through unauthorized access to email accounts. Had access to ADAMS been subject to two-factor authentication, it would have represented an additional security barrier and rendered it much more difficult for the attackers to gain access to ADAMS in the way that they did.
68. While WADA has since introduced personal verification questions to its authentication process, the authentication process remains “one factor” (e.g. “something you know”). In June 2017, WADA released two-factor authentication through use of an SMS code or a one-time password but this security feature is not mandatory and not enabled for all users.
69. In terms of the creation of accounts, we are concerned that the ADAMS system allows for the creation of multiple accounts for a unique user even where one may not be required. In this case, it does not appear that the WADA employee needed a separate account in order to carry out his independent observer functions as he already had his own ADAMS account, yet a new one was created for him anyway. The possibility to create multiple accounts that are not needed for business purposes poses an unnecessary risk and only increases the number of potential vectors of attack. Given the highly sensitive nature of the data at stake, we did not find appropriate procedural safeguards in place to reduce this risk.
70. We also have concerns with the way WADA oversees ADOs which are granted administrative rights in ADAMS. While WADA enters into contractual agreements with ADOs, the agreement with the IOC that we reviewed contained only general provisions regarding the obligation of the IOC to implement safeguards. The agreement did not contain any provisions allowing WADA the ability to audit and inspect the security and privacy practices of the IOC to ensure compliance with its contractual obligations.
71. In the circumstances of this breach, insufficient information-sharing took place between WADA and the IOC with respect to the breach, and the forensic report which the IOC commissioned following the breach was never shared with WADA. It was thus difficult for WADA to fully assess the causes of the breach. This lack of information-sharing is disappointing given the central and collaborative role that both organizations are required to play in protecting athlete data.
72. WADA should ensure and build in stronger oversight functions over ADOs given its responsibility for protecting the information processed in ADAMS. We note in this respect that WADA has previously informed the Article 29 working party that it would ensure compliance with the Standard, which, as noted above, imposes obligations on ADOs to safeguard personal information of athletes, by means of periodic assessments.^{Footnote 17} WADA has indicated that due to resource constraints it has not conducted periodic assessments. We also note that WADA has not provided for the right to conduct such assessments in its contractual arrangements with ADOs. In our view, at a minimum, WADA should be able to inspect, assess or investigate the information systems of ADOs at any time, including both proactively to guard against security compromises and following a data breach, to ensure an intrusion has been contained and the necessary remedial measures have been implemented.
73. We are also concerned about the scope of administrative rights granted to ADOs. Administrator accounts, particularly in the case of the IOC, have extensive rights with the ability to create accounts with equal or lesser access rights which includes the ability to create other administrator accounts. The IOC noted it does not require this ability. While it may be reasonable to delegate the creation of sub-accounts to ADOs, the creation of administrator accounts – accounts, which by definition, have the ability to create user accounts with extensive access rights to ADAMS – should have been more tightly controlled by WADA.
74. Finally, we are concerned that WADA has not implemented any flagging or notification to users with respect to important and/or atypical account-related actions and activities. The IOC noted, for instance, that there was no notification that its administrator account had been used to create a new administrator account and a new user account. Sending, for instance, an email alert to a user when certain significant activities occur on their account is common practice for many web-based applications and would help mitigate the risk that an ADAMS account is used in an unauthorized fashion over several days, as occurred in this case.

Monitoring and logging

75. Another concerning factor was WADA’s limited ability to detect anomalies and intrusions in ADAMS and analyze logs from it. The attackers were able to generate thousands of events during a short period of time which were not immediately detected. Moreover, these events occurred at a time when WADA was already aware of the phishing campaign and multiple attempts to obtain unauthorized access to ADAMS, as evidenced by its bulletin board message to users posted in early August. While more robust logging and analysis tools were procured by WADA following the phishing campaign in August 2016, these were not yet adequately configured and therefore proved to be ineffective.

Policies, procedures and training

76. While WADA maintains it has in place an Information Security (IS) Corporate Policy which is based on a certain International Organization Standard (ISO), our review of the documentation provided by WADA confirmed that it lacked the written policies and procedures to give effect to those standards. Various requirements from the standard are referred to in WADA’s IS Corporate Policy, however we uncovered little evidence that WADA had in place written policies and procedures to enforce those requirements, some of which could have mitigated the breach or better prepared WADA during and after the breach.
77. WADA did not have a proper incident response plan at the time of the breach in accordance with the stated ISO standard. While WADA took some important measures, including notifying ADAMS users of the phishing campaign, its response was ad hoc. An incident response plan is crucial in limiting exposure to an organization by ensuring a quick, effective and orderly response to information security incidents. In this case, a proper breach response plan properly executed following the email phishing campaign could have reduced the impact or likelihood of the later ADAMS breach. For instance, following the phishing campaign, certain internal preventive security actions which should have been taken were not, such as immediately forcing password resets for staff accounts. While a WADA staff member suggested this, a forced password reset was not done because there was a concern that it could “cause issues” with users travelling at Rio.
78. We also found no evidence of a documented risk-management framework guiding how WADA determines which security measures would be appropriate to the risks it faces. Nor was there any evidence of WADA undertaking any threat or vulnerability assessment work. Analyzing threats and vulnerabilities can help identify information security requirements in line with the needs and risks of your specific organization. Furthermore, when asked how WADA plans and prioritizes the implementation of security features, WADA indicated that it prefers a more fluid approach as planning for these tasks is far too resource intensive. While this approach may be acceptable for an organization which manages less sensitive information, we find it is not acceptable for an organization like WADA which processes highly sensitive information.
79. The absence of written processes, procedures or templates to support compliance of an IS framework contravenes Principle 4.1.4 of PIPEDA which requires organizations to implement policies and practices to give effect to the principles including implementing procedures to protect personal information. Documented security policies and implementation plans provide clarity about expectations and requirements; ensures consistency and helps to identify and manage an organization’s risks. In that sense, proper documentation is a crucial safeguard in and of itself.
80. WADA provided little evidence of communicating to its staff, through training or other means, information about security awareness in contravention of Principle 4.1.4 (c) of the Act. Security programs can only be effective when those responsible for implementing and abiding by them are aware of what they contain, why they exist, and the consequences of neglecting their responsibilities. WADA should have in place ongoing privacy and security training and awareness programs ensuring that staff are aware of and follow security procedures.
81. Similarly, while WADA provides training to ADOs who are granted administrative rights and to other users, and has prepared an ADAMS User Guide, it appears that much of this training and material is focused on how to use ADAMS rather than on important safeguards and required practices associated with the system and the account creation process. For instance, we were informed that the non-mandatory practice of forcing password resets when creating user accounts was conveyed verbally by WADA to administrators and was not set down in writing.
82. In our view, WADA should have had in place ongoing privacy and security training and awareness programs for all staff and ADAMS stakeholders and especially those with administrative rights. WADA should have conducted a comprehensive review of the protections it has in place to protect personal information and augmented its information security framework to an appropriate level commensurate with the level of sensitivity of the data contained in ADAMS. This should have included adequately documenting that framework and its information security processes generally and taking steps to ensure that staff and stakeholders were aware of and followed security procedures, including developing and delivering an appropriate training program.

Encryption

83. Finally, we noted that WADA employs encryption in transit to protect data transmissions but fails to encrypt data at rest in ADAMS. WADA highlights that the 128-bit SSL encryption used in transit is a network security standard similar to those found in the banking industry. However, we found no evidence that WADA employed encryption for data at rest in ADAMS, thus leaving such data vulnerable if their network was to be compromised. Given the sensitivity of the information stored in ADAMS, WADA should have employed encryption at rest to better protect athlete data while in their custody.

Recommendations

84. In our preliminary report, our Office recommended that WADA augment its security safeguards to an appropriate level to protect the security and confidentiality of the sensitive personal information under its control by:
    1. Developing a comprehensive Information Security framework which incorporates written policies and procedures to ensure that possible risks have been addressed. At a minimum this would include:
       1. the identification, analysis and documentation of internal and external risks that can impact personal information across all systems (including mobile) and processes that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and the assessment of the sufficiency of any safeguards in place to control these risks;
       2. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing;
       3. the evaluation and adjustment of the information security program in light of the results of the testing and monitoring noted above;
       4. the development of a training program to be provided to employees, contractors and stakeholders about information security management policies and procedures noted above.
    2. Implementing appropriate safeguards related to access controls including:
       1. Mandatory password changes for new accounts and expiry periods for temporary passwords;
       2. Mandatory 2 factor authentication for all users;
       3. Updating its contractual arrangements to allow WADA to audit and/or inspect ADOs with access to ADAMS to ensure compliance with security and privacy policies;
       4. Assuming sole control of administrator accounts provided to third parties by removing the latter’s ability to create further administrator accounts;
       5. Providing notifications to users when key actions are taken, or atypical activity detected, on their accounts.
    3. Employing encryption at rest for ADAMS data in their custody.
    4. Ensuring that application security and intrusion detection is properly configured and that systems and logs are adequately and actively monitored.
    5. Providing the OPC with a report from a qualified and independent third party documenting the measures it has taken to come into compliance with the above recommendations.
85. In response to our preliminary report, WADA agreed to implement all of the recommendations with the exception of imposing mandatory two-factor authentication for athletes. While WADA agreed to make two-factor authentication mandatory for all non-athlete ADAMS users, WADA indicated that the method should be optional for athletes. WADA stated that this method of authentication may not be necessary or feasible for all athletes since certain athletes from developing or least-developed countries may not have the technological capabilities or means to implement two-factor authentication. Furthermore, WADA stated that athletes have access to only a limited subset of their own personal information and therefore the risk to that information must be balanced against the convenience and efficiency for athletes when inputting their information into ADAMS.
86. After careful consideration, our Office accepts WADA’s proposal of providing two-factor authentication to athletes on an optional basis (while making it mandatory for all other users) on the stipulation that WADA actively and continuously recommends its use and provides information to athletes about how and why they should avail themselves of this more secure method of authentication.

Conclusion

87. Accordingly, we conclude that the matter is well-founded and conditionally resolved.
88. Our Office has a continuing interest in ensuring that WADA implements the measures needed to bring it into full compliance with the Act. As such our Office will be closely monitoring the organization’s implementation of our recommendations and, to this end, has entered into a compliance agreement with WADA pursuant to subsection 17.1(1) of the Act.