IAAF says it's been hacked, athlete medical info accessed

The governing body of track and field has been hacked by Fancy Bears, the group that previously attacked the World Anti-Doping Agency.

Governing body reveals hack 'has compromised athletes'

The IAAF president Sebastian Coe said Monday he believes a hack “has compromised athletes” Therapeutic Use Exemption (TUE) applications stored on IAAF servers during an unauthorized remote access to its network on Feb. 21. (Ian Walton/Getty Images)

The governing body of track and field has been hacked by Fancy Bears, the group that previously attacked the World Anti-Doping Agency.

The IAAF said Monday it believes the hack "has compromised athletes' Therapeutic Use Exemption (TUE) applications stored on IAAF servers" during an unauthorized remote access to its network on Feb. 21.

TUEs are permissions for athletes to take substances that would normally be banned, and are used by athletes around the world.

"Our first priority is to the athletes who have provided the IAAF with information that they believed would be secure and confidential," IAAF President Sebastian Coe said in a statement. "They have our sincerest apologies and our total commitment to continue to do everything in our power to remedy the situation."

The IAAF said it had been in contact with athletes who have applied for TUEs since 2012.

Context Information Security, a British security company, said in a statement released by the IAAF that it discovered the attack.

"In January 2017, the IAAF contacted Context Information Security to conduct a proactive and thorough technical investigation across its systems, which led to the discovery of a sophisticated intrusion," the company said. "Throughout the investigation, the IAAF have understood the importance and impact of the attack and have provided us comprehensive assistance."

Coe, speaking in Aarhus, Denmark, ahead of a conference of global Olympic sports officials, said the IAAF is using the "world's best people" to make the organization's computers safe.

"We have now done everything we possibly could to put new systems in place," Coe said. "The athletes had the right to expect that information given to us to be securely housed. Unfortunately, it's not the first time. Other organizations have been the subject of this and we do of course deplore that, but it was very important that we discussed that with the athletes."

WADA has previously said Fancy Bears originate from Russia, citing information from law enforcement agencies.

Russian officials have denied any links with Fancy Bears, but have praised the group's previous publications, which they say undermined Western countries' criticism of widespread use of banned substances by Russians. The IAAF banned Russia's team from competing internationally in 2015 after investigations by WADA found evidence of state-sponsored doping.

Fancy Bears began posting medical records of Olympians online last year, with U.S. and British athletes making up a large proportion of those targeted. Only selected records were released, and no Russians with TUEs were named, even though records show dozens of TUEs had been granted there in recent years.

As of Monday, Fancy Bears' website contained no mention of IAAF information.