Andy Frain Services, a security firm servicing major clients such as NFL, NBA, NASCAR, and more, over the weekend confirmed it notified 100,964 people of an October 2024 data breach that compromised their personal information.
Ransomware gang Black Basta claimed responsibility for the breach in November 2024, saying it stole 750 GB of data from the private security firm. Andy Frain has not yet confirmed Black Basta’s potential involvement.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had this to say:
“I’m not sure why it took nearly 7 months for Andy Frain Services to notify the impacted people. That’s 7 months hackers could have been using the learned information to abuse potential victims. If I do business with Andy Frain Services, I would like to know how the breach happened, if they know. Was it social engineering, unpatched software or firmware, or some other cause. Because if they don’t know how it happened it’s much tougher to put in place the right mitigations to make sure it’s less likely to happen again.”
And in a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:
“Black Basta, not to be confused with Blackcat or BlackSuit, is a ransomware gang that first surfaced in early 2022. It operates a ransomware-as-a-service business wherein third-party clients pay Black Basta to use its ransomware and infrastructure to launch attacks and collect ransoms. Black Basta often extorts victims both for a key to restore infected systems and for not selling or publicly releasing stolen data. Black Basta has claimed 166 confirmed ransomware attacks since it began, compromising more than 11.7 million records. Its average ransom demand is about $2.9 million.”
“In 2025 to date, Black Basta has claimed five victims, all of which it claimed in January. None of those attacks have been confirmed yet. In 2024, Comparitech researchers logged 793 confirmed ransomware attacks on US organizations, compromising more than 268 million records. 64 of those attacks hit service-based businesses like Andy Frain and compromised 1.6 million records.”
“The average ransom across all industries is just north of $2.3 million, and $787,000 for service-based businesses. In 2025 so far, we’ve recorded 112 confirmed ransomware attacks in total, five of which hit service-based businesses. Ransomware gangs made another 1,365 attack claims this year that haven’t been acknowledged by the targeted organizations.”
Andy Frain has some explaining to do. Or at least it should have some explaining to do. Seven months to disclose this isn’t cool. However I don’t think that will happen given the sort of environment that we’re in at the moment where nobody seems to be held to account for anything. Which is not good.
Related
This entry was posted on May 12, 2025 at 2:21 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Security firm for NFL, NBA, NHL, MLB, and NASCAR notifies 100K people of data breach
Andy Frain Services, a security firm servicing major clients such as NFL, NBA, NASCAR, and more, over the weekend confirmed it notified 100,964 people of an October 2024 data breach that compromised their personal information.
Ransomware gang Black Basta claimed responsibility for the breach in November 2024, saying it stole 750 GB of data from the private security firm. Andy Frain has not yet confirmed Black Basta’s potential involvement.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had this to say:
“I’m not sure why it took nearly 7 months for Andy Frain Services to notify the impacted people. That’s 7 months hackers could have been using the learned information to abuse potential victims. If I do business with Andy Frain Services, I would like to know how the breach happened, if they know. Was it social engineering, unpatched software or firmware, or some other cause. Because if they don’t know how it happened it’s much tougher to put in place the right mitigations to make sure it’s less likely to happen again.”
And in a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:
“Black Basta, not to be confused with Blackcat or BlackSuit, is a ransomware gang that first surfaced in early 2022. It operates a ransomware-as-a-service business wherein third-party clients pay Black Basta to use its ransomware and infrastructure to launch attacks and collect ransoms. Black Basta often extorts victims both for a key to restore infected systems and for not selling or publicly releasing stolen data. Black Basta has claimed 166 confirmed ransomware attacks since it began, compromising more than 11.7 million records. Its average ransom demand is about $2.9 million.”
“In 2025 to date, Black Basta has claimed five victims, all of which it claimed in January. None of those attacks have been confirmed yet. In 2024, Comparitech researchers logged 793 confirmed ransomware attacks on US organizations, compromising more than 268 million records. 64 of those attacks hit service-based businesses like Andy Frain and compromised 1.6 million records.”
“The average ransom across all industries is just north of $2.3 million, and $787,000 for service-based businesses. In 2025 so far, we’ve recorded 112 confirmed ransomware attacks in total, five of which hit service-based businesses. Ransomware gangs made another 1,365 attack claims this year that haven’t been acknowledged by the targeted organizations.”
Andy Frain has some explaining to do. Or at least it should have some explaining to do. Seven months to disclose this isn’t cool. However I don’t think that will happen given the sort of environment that we’re in at the moment where nobody seems to be held to account for anything. Which is not good.
Share this:
Like this:
Related
This entry was posted on May 12, 2025 at 2:21 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.