The 49ers had issued a statement on Super Bowl Sunday, Feb. 13, that their corporate IT network systems had been disrupted by a "network security incident," the Associated Press reported. The 49ers two weeks earlier had lost the NFC championship to the Los Angeles Rams, who went on to win the Super Bowl.
The team took immediate steps to stop the access and enlisted an outside cybersecurity firm to investigate, according to a statement from the 49ers. The investigation was completed in August and revealed that unauthorized access to files had happened during the week of Feb. 6-11.
"We have begun notifying individuals whose data may have been compromised during a cybersecurity incident on our corporate network earlier this year and are offering complimentary credit monitoring and identity theft protection services to them" said Jacob Fill, 49ers corporate communications coordinator, in response to a Chronicle query Tuesday.
"We take seriously our responsibility to safeguard personal and sensitive information entrusted to us and are committed to working with cybersecurity experts to ensure we are protected from any future similar incidents. We regret any concern this has caused to the affected individuals."
The 49ers did not respond to a follow-up query as to the nature of the digital files affected and whether they are ticket-holder accounts.
The new details about the breach were first reported by the Record, an online news site that covers cybersecurity developments.
The Associated Press reported in February that the BlackByte ransomware gang had stolen some of the 49ers' financial data and posted it online, though the group did not make its ransom demands public or say how much data it had stolen or encrypted.
At the time, the team said in a statement that "we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi's Stadium operations or ticket holders," according to the AP.
However, in a subsequent filing with the Attorney General's Office in Maine — where reporting data breaches is mandatory, according to the Record — 49ers outside counsel Jennifer Costa stated that a total of 20,930 individuals may have been affected by the security breach. Social Security numbers were apparently taken. Seven of those individuals are Maine residents, who were notified on Sept. 1.
Costa, who works at the firm Baker & Hostetler in Cleveland, did not respond to a request for comment.
© 2022 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.
