Arbiter Data Breach
 

Anyone else get the Arbiter data breach notification today? I changed my password and signed up for the offered Experian monitoring.

I recall past discussions about Arbiter’s security vulnerabilities and lax encryption. It would seem the chickens have come home to roost.

If Arbiter was concerned about emerging competition before, that concern must now be quadrupled. It’s not a good time for the boys in Sandy, UT.


Sent from my iPhone using Tapatalk

I received the email also but have been skeptical of its authenticity because of the wording about the involvement of "my child's information". I just haven't taken the time to call or email Arbiter. Here is the first paragraph of the email:
ArbiterSports is committed to protecting the confidentiality of our customers’ information. We are writing to notify you that we recently identified and addressed a data security incident that involved some of your child’s information. This notice provides you with a description of the incident, our response, and the steps you may take.

I got the email yesterday, but mine reads "a data security incident that involved some of your information." My guess is the "child's" was just an error by the author of the email, corrected when discovered. But until I'm sure of the email's authenticity, I am not going to share my SSN.

Well, I’m pretty discerning, and what I received yesterday did not have any of the classic attributes of a hoax. If it was a hoax, it is by far the most sophisticated I have ever seen.

I’m very confident that what I received yesterday was not the product of a Nigerian prince.


Sent from my iPhone using Tapatalk

And, it was sent to several unique email addresses that were only ever used on their site....

It really bothered me that they knew about the data breach in mid July and took almost a month and a half to inform people. Very frustrating

Arbiter Breach ...
 

I received a USPS "snail mail" from Arbiter today regarding this subject.

Usernames, passwords, names, addresses, birth dates, email addresses, and Social Security numbers were all compromised.

Arbiter paid the hacker's ransom demand to delete the stolen files.

Arbiter suggests that we change our passwords and offered two years of free Experian Identity Works Credit 3B to protect our identities.

https://tse4.mm.bing.net/th?id=OIP.M...=0&w=300&h=300

Last month, my Arbiter session for my phone had expired. I had trouble logging back and had to use my desktop session to reset my password. I now wonder if my login issue was related to the breach.

It's possible that there was an investigation into the breach and that Arbiter LLC had to wait for that to reach the point where they could disclose something definitive about what happened.

At least they notified users. Years ago, Honig's apparently had a breach of their online store data and didn't bother notifying customers. I only found out by chance when I read something online that that a state's attorney general either sued or threaten to sue them over their failure to notify customers from their state. I strongly suspect my card at the time was one of the ones compromised because I bought something from their online store around that time and my card was compromised the next day.

Password Reset In July ...
 

Same here, I had to reset my password.

Experian coverage
 

My letter says 1 year Experian membership....no an acceptable resolution in my opinion. Should be at least three years, but if you are getting two years for some reason than that reveals other issues that need to be addressed. With all the information they got what is to say that they did not also get our banking information that is on there for payments?

This adds more fuel the my fire in my ongoing dispute with Arbiter over their storage of our SSNs in their system. I object to that and have fought unsuccessfully for years now to be able to remove my personal info during the off-season. In fact, I prefer to only enter my SSN when the treasurer of my group runs payroll or creates the 1099s and then take it back out. The problem is that Arbiter locks the SSN field on the profile page and prevents you from changing or deleting the info therein. Please join me in calling the Arbiter personnel and demanding that we have control over this data and can remove it at will. It is not theirs and they are not our employers.

A friend called the number to ask this question. The response was that they will get back to him in 3-5 days. It might be best to talk to your bank and see if they suggest you close that account and open a new one.

All the information anybody needs to do an electronic transaction is on a check, so it's not like there isn't plenty of ways for this information to be obtained anyways. But, I don't like the fact that a known bad actor is known to have this information now.

FWIW, I have a separate bank account that I only use for officiating transactions (makes it easier for end of year accounting). I try to keep the balance low (around $1000...write a check to myself at the end of a season). If you are like me and have no choice but to work with Arbiter, you might consider something similar. At least it limits your exposure.

I have a separate savings account for arbiter and several schools that pay by direct deposit. There is a $300 minimum to avoid fees, which is not a problem. Once I get maybe $400-$450 total, I transfer the overage into another account.

I understand why they do it, for ease and integration into Refpay as an upsell. However, as with you I wholeheartidly agree they should not be storing this informatioin in the manner they do.

Good ideas, I had been considering this idea for taxes and tracking for a while, upset I didn't institure sooner.