More than 20,000 SSNs stolen during ransomware attack on San Francisco 49ers

One of the NFL’s most popular franchises — the San Francisco 49ers — began sending breach notification letters out Thursday, after more than 20,000 people's sensitive information was accessed during a ransomware attack earlier this year

The BlackByte ransomware gang attacked the team's systems the week before Super Bowl Sunday, raising questions about what would have happened had the team held on to its late game lead two weeks before to make the final match. 


Image: Screenshot of the BlackByte 49ers extortion page Image: @CyberKnow20

At the time of the attack, the organization confirmed to The Record that the ransomware group had encrypted its files after accessing its network. 

“While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders,” the team said in February.

But on Monday, the organization began sending notification letters to people whose information may have been compromised and said it had concluded an investigation, finding that the breach had lasted six days.

“The 49ers conducted a thorough review of these files to identify the individuals whose information was contained in the files, and additional research to locate and verify the addresses for these individuals,” the team said. 

In the team's filing to the Maine Attorney General’s Office, where it is required by law to report data breaches, the company said in total 20,930 names and corresponding Social Security numbers were accessed during the attack. 

The team is offering victims one year of free credit monitoring and identity theft protection services through Experian. They have also set up a call center for victims and implemented other security protocols in addition to security training for employees. 

The team did not respond to requests for comment about what other information may have been accessed during the ransomware attack. 

After the attack, BlackByte offered up 292 MB worth of invoices and other business documents on its leak site.

The group initially emerged in September 2021 with a poorly-coded ransomware, according to experts. The cybersecurity firm Trustwave found a weakness in it and used it to create a free decrypter.

But the group created a second version of the ransomware, which solved the bugs found by Trustwave, and have been able to launch several attacks since. 

The FBI released a security alert about BlackByte just one day before the attack on the 49ers became public.

The agency said since November 21 “BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.