COLORADO SPRINGS, Colo. (BRAIN) — USA Cycling told members on Friday that the organization's website had been breached. The organization said members' personal information associated with online accounts, including names, mailing addresses, email addresses, dates of birth, emergency contacts, and USA Cycling passwords could have been released.
The site does not store members' drivers' license or state ID numbers, credit card numbers, bank account numbers, Social Security numbers, or medical or health insurance information.
"What we know of the incident is that a hacker gained access to at least some of our databases within the last two weeks. We have been in contact with the authorities, and have employed a leading cyber security expert to advise us in this matter. We believe we have now secured all our systems and face no further data security risks. We are notifying you as soon as we were able to assess the situation and secure our systems," USA Cycling said.
The organization emailed its members and told them to change their passwords on the site immediately.
"Though we know of no inappropriate use of any data, we are notifying you so that you can take precautionary measures to protect yourself from identify theft or other forms of fraud. In particular, we advise that if your USA Cycling password is used in other accounts, you change your password in those other accounts immediately."
The organization said members should have no difficulties registering or participating in races this weekend, but said they should update their passwords on the website, use the new password to sign into their USA Cycling mobile app, if they use it, and bring a hard copy of their license to the event.
In a FAQ section of the USA Cycling website, the organization noted that members' passwords were not encrypted.
'We deeply regret that our member account passwords were not encrypted. We were aware of this need, and have been exploring fixing that data security vulnerability for the last several months. But the legacy IT system we have been operating on for the past decade or more makes the transition very difficult and costly. And because we are embarking on a total overhaul of our IT systems, which will include moving to encrypted data storage within the next several months, we chose not to invest in our current system and then promptly replace it with a new system. In hindsight, we regret that decision as we should have encrypted data on our old system with absolute urgency. We are very sorry for this mistake."