FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

The UtahCyberCheck project found the US Ski and Snowboard Association (USSA) puts the data of tens of thousands of its members at risk and violates its terms of use and privacy policy by using software with critical vulnerabilities and running at least one hacked website. The association, despite multiple attempts to contact them, has ignored reports about these serious issues. (UPDATED to reflect new developments.)

4/4/2020 UPDATE: I am now in contact with USSA. There is indication of some issues that prevented USSA from receiving my reports and were consequently unaware of them. More information to come at a later time.

4/20/2020 UPDATE: After a dialogue with USSA, it became clear USSA did not received most UtahCyberCheck reports. This contributed to confusion and miscommunication. Since this time, USSA has been responsive and are able to quickly address issues brought to their attention as future blog posts will detail.

According to its website and Wikipedia page, USSA is “an Olympic sports organization providing leadership and direction for tens of thousands of young skiers and snowboarders” with “over 30,000 athletes, officials and coaches, with a network of over 100,000 parents, volunteers and supporters” and a staff of over 150. The association is clearly impressive and fulfills a need for winter sports enthusiasts.

But when it comes securing their IT infrastructure and its member’s data, it doesn’t come close to receiving a gold medal. Future blog posts will exhibit how misconfigured servers, exposed credentials, and vulnerable software make USSA an easy target for hackers. These vulnerabilities still exist. The final post will reveal a hacked USSA website.

The series of cybersecurity issues and the organization’s inaction to address them is also a violation of their own terms of use and privacy policy.

Despite attempting to contact USSA for three months, the association has yet to respond to any messages from the UtahCyberCheck project. Reports were also given to the Utah Department of Public Safety which helped resolve one issue, but other issues were not addressed by USSA. Without any indication USSA will secure their infrastructure, it has come to this unfortunate conclusion of responsible disclosure.

Posts regarding USSA (Kept updated):

I began the UtahCyberCheck project to help struggling Utah education and government organizations. USSA has a presence on Utah education infrastructure and is a National Governing Body and falls within the scope of the project. You can read the initial announcement of UtahCyberCheck and subsequent reasons.

Update 3/28/2020 to include reference to USSA’s terms of use and privacy policy.
Update 4/1/2020 Changed featured image; Added article.
Update 4/4/2020: Added “Developing Story” to first paragraph, added 4/4/2020 update in body of article.
Update 4/20/20: Added note about USSA not receiving all reports.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail