Road to Rio Riddled With Cybersecurity Potholes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Aug. 4 — Cybercriminals don't compete at the Olympics for medals or personal and national pride. For them, the lure of the Summer Olympic Games opening in Rio de Janeiro Aug. 5 is hacking notoriety and perhaps riches.

The 2016 Summer Olympics has made headlines for less-than-ideal athlete villages, poor environmental standards, Zika virus risks and slack physical security. But the biggest threat to what the Rio Olympics website says will be 10,000 contestants—as well as tens of thousands of support staff and spectators—will be hackers and hacktivists looking for a big score, cybersecurity professionals told Bloomberg BNA.

The maelstrom of online activity presents an opportunity for hackers to attack Fortune 500 companies, they said, adding that keeping up strong oversight of third-party vendors during the Olympics is crucial.


The “Olympics is focused on protecting” itself against cyberattacks and “protecting athletes, attendees” and network infrastructure, Samir Kapuria, senior vice president of Cyber Security Business at Symantec Corp. told Bloomberg BNA. Even with the preparation, “companies and individuals should be wary of any incoming e-mails or other information related to the Olympics,” he said.

Companies, athletes and spectators should “be a little skeptical” with online data and should “think before they click on any suspicious or unknown links,” Kapuria said.

Although the political climate may play a role in Brazil's cybersecurity threats, “there are no technical differences between the internet in Brazil, the U.K. and the U.S., ” Mark McArdle, chief technology officer at Cambridge, Ontario-based cybersecurity company eSentire Inc., told Bloomberg BNA. The Olympics carries the same risk factors “as the World Cup, Super Bowl, World Series, and any other major event,” he said. “Hackers prey on people's enthusiasm.”

However, Brazil's weak law enforcement agencies may mean there is less risk of hackers getting caught, McArdle said.

Because the Olympics may be a breeding ground for hackers and hacktivists, U.S. companies doing business in Brazil or as an Olympic sponsor should be wary of third-party vendors, limited law enforcement agency authority and phishing attacks, the cybersecurity professionals said.

The International Olympics Committee (IOC) referred Bloomberg BNA to its information technology partner Atos SE for cybersecurity questions. An Atos spokeswoman told Bloomberg BNA that cybersecurity is a “priority for Atos” and that “Rio 2016 is no different.” In preparation for the Olympics, Atos “has implemented the latest cybersecurity technologies to protect the games IT infrastructure and systems,” she said.

Are Vendors the Weak Link?

U.S. and multinational companies that do business in association with the IOC may be the biggest targets, but any corporation doing business in Brazil should shore up their digital defenses, the cybersecurity professionals said.

Multinational companies that partner with the IOC include: The Coca-Cola Co., General Electric Co., McDonald's Corp, Visa Inc., Samsung Electronics Co. and Bridgestone Corp., among others.

McArdle said that as a global event the Olympics is a great way for hackers to infiltrate Fortune 500 companies and the IOC.

The easiest way for a larger company to be breached is through a smaller third-party vendor, McArdle said. This issue is known as “vendor-risk management,” where “the smaller vendors have access to sensitive information and have access to the larger organization's network,” he said. In most cases, the smaller vendor lacks the resources to protect the sensitive data and the hackers know it, McArdle said.

Companies need to do their due diligence on smaller vendors and “see the threat before the third party,” he said.

Stu Sjouwerman, chief executive officer at internet security company KnowBe4 LLC, told Bloomberg BNA that the weak link for larger corporations doing business in Brazil is the local vendors. For example, a hacker in Brazil may target a local vendor and send “e-mails regarding production planning with an attached infected document,” he said. Once that file is opened, the “bad guys can get into the network and start sending spoofed e-mails,” Sjouwerman said.

Chief executive officer fraud attacks are increasingly common in this scenario, Sjouwerman said. A hacker can easily “send a fake e-mail from a corporate account” with a message to “to send money to the third-party vendor” for additional resources, he said.

“You'd be surprised how many people fall for the CEO fraud attacks,” Sjouwerman said.

Security Outsourcing Hurdles

U.S. companies doing business with the IOC might think about outsourcing their cybersecurity to local cybersecurity professionals, but this may not be a great idea, Timothy Edgar, senior fellow at the Watson Institute for International Studies and Public Affairs at Brown University, told Bloomberg BNA.

U.S. companies that outsource technology-based jobs to Brazil “always creates cybersecurity risks,” Edgar, who also served as director of privacy and civil liberties for the White House National Security Staff from 2009 to 2010, said. Although this practice may be useful for a business and does save money, companies shouldn't “outsource its security or it will find its losses are much greater than whatever money it has saved,” he said.

This threat is only highlighted by the “complex relationship” Brazil has with the U.S. after the revelation of the NSA's bulk collection of information, including “industrial espionage,” Edgar said.

The recent U.S. election-based cyberattacks allegedly tied to Russia only highlights the willingness of foreign countries to leak sensitive data (147 PRA, 8/1/16). President Barack Obama addressed the international cyberattacks at a press conference Aug. 2 and called for global anti-hacking rules. At this stage, however, many nations are “playing catchup” to the growth of internet security, Obama said.

Edgar said that “it is quite plausible Russian or Chinese intelligence would seek to leverage assets among IOC insiders to gain access to targets in the United States and other countries.” Foreign intelligence services may “find some Brazilians sympathetic to an effort to teach the United States a lesson by turning the tables on” U.S. corporations, he said.

A U.S. State Department official told Bloomberg BNA that U.S. companies doing business in Brazil should refer to Overseas Security Advisory Council (OSAC) reports. These reports are “the Department of State's mechanism for communicating threat and security information to the U.S. private sector operating abroad,” which includes cybersecurity threat information, the official said.

Political Turmoil Attracts Hacks

Cybersecurity issues aren't a new phenomenon in Brazil.

Cyberattacks across Brazil have been increasing since the 2014 FIFA World Cup, Timothy C. Summers, chief executive officer of Washington-based cybersecurity consulting firm Summers & Co., told Bloomberg BNA. “Brazilian cyberattacks increased by 197 percent in 2014 and banking fraud increased by 40 percent in 2015,” he said.

Throughout the World Cup, “Brazil saw close to 90,000 cyberattacks in a 30-day period,” and these attacks should “increase substantially” as the Olympics approach, Summer, said.

Kapuria agreed that Brazil “has its share of cybersecurity issues.” As laid out in Symantec's 2016 Internet Security Report, “Brazil was one of the top 10 countries for Botnet attacks,” he said.

Many nations host international sporting events with lower levels of cyberattacks, so what makes the Rio Olympics so attractive to cybercriminals? According to Summers, it's Brazil's political climate.

The country's “political turmoil, economic recession and overspending on preparation for the games” may attract terrorists and “money hungry cybercriminals,” Summers said. Hackivits, especially, will focus on government targets due to “excessive spending,” preparation and “poor organization,” he said.

Emily Wilson, director of analysis at data-risk consulting company Terbium Labs, told Bloomberg BNA that hackers will likely target entities that have a strong tie to the Brazilian government. The hackers will be targeting government-controlled “energy companies” and “law enforcement agencies,” she said.

These hacktivists are upping “their game to get the big targets and make a splash” to get out their message on “how Brazil should properly use its resources,” she said.

Athletes, Spectators are Targets

Athletes, spectators and employees of large multinational corporations attending the Olympics may be prime targets for hackers, the cybersecurity professionals said.

Kapuria said for “athletes and fans traveling to Brazil for the Olympics, it's important to remain cognizant of cybersecurity.” The athletes and fans should be wary of Wi-Fi hotspots and “protect against missing or stolen devices by securing your data with a backup system and encryption,” he said.

McArdle said that spectators traveling to Rio need be wary of any vendor that asks for personally identifiable information. Corporate sponsors “are trying to promote their brands and are doing a lot of online media campaigns,” he said. If companies take a lot of personal data it puts them at greater risk of an attack, he said.

When a company is breached, a vast amount of consumer data—credit card information, social security numbers, addresses, etc.—may be released and this may put a huge strain on the consumer. Therefore, collecting less data is better for both company and consumer, McArdle said.

Additionally, when visiting Rio “you have to be skeptical of things that you take for granted at home,” such as Wi-Fi hotspots, online app stores and purported official websites, McArdle said.

If athletes and spectators are skeptical “of any Olympic branded item, they will have a much better time,” he said.

Sjouwerman said that athletes may be at particular risk due to constant communications with the IOC. Instead of the fake CEO e-mail, athletes may receive a “doping complaint from the IOC” with an attachment that the athlete must respond to, he said. Because of the seriousness of this alleged violation, any athlete is going to open the attachment and open themselves up a data breach, Sjouwerman said.

To combat these attacks, Sjouwerman recommends traveling with a burner phone and an encrypted laptop. If a spectator or corporate employee must connect to the internet they should use a VPN and stay away from “free Wi-Fi anywhere, even at the hotel,” he said.

As a final precaution, Sjouwerman said that anyone traveling to Rio should “think before you click and if you are traveling think three times before you click.”

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editors responsible for this story: Donald G. Aplin at ; Jimmy H. Koo at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security