The World Anti-Doping Agency says a Russian cyber-espionage group named the Tsar Team, also known as APT28 or Fancy Bear, broke into its database and accessed athletes' data. The hackers saw confidential medical data and have released some of the information, WADA says.
Some of the data listed athletes' therapeutic use exemptions, which allow banned substances to be taken if they're deemed to be necessary for an athlete to cope with an illness or medical condition.
"WADA deeply regrets this situation and is very conscious of the threat that it represents to athletes whose confidential information has been divulged through this criminal act," said Olivier Niggli, WADA's director general. He added that the organization is reaching out to organizations about affected athletes.
As for how the breach occurred, WADA says that its Anti-Doping Administration and Management System — also called ADAMS — was accessed "via an International Olympic Committee (IOC)-created account for the Rio 2016 Games."
The breach is believed to be a case of "spear phishing of email accounts," in which passwords to ADAMS were exposed to hackers, WADA says.
"WADA has been informed by law enforcement authorities that these attacks are originating out of Russia," Niggli said. "Let it be known that these criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia further to the outcomes of the Agency's independent McLaren Investigation Report."
The McLaren report is the 103-document report that formed the backbone of WADA's call for Russia to be barred from Rio's Summer Olympics — a call that the International Olympic Committee did not heed, but instead left up to individual sporting federations.
Back in 2014, cybersecurity firm FireEye issued a report that found APT28, one of the names for the Tsar Team group, took part in "focused operations that we believe indicate a government sponsor — most likely the Russian government."