USA Cycling told members that personal information associated with their online accounts might have been compromised and instructed them to change their passwords immediately.
"What we know of the incident is that a hacker gained access to at least some of our databases within the last two weeks," USA Cycling said. "We believe we have now secured all our systems and face no further data security risks. We are notifying you as soon as we were able to assess the situation and secure our systems."
In an FAQ, the organization said that members' passwords were unencrypted:
"We were aware of this need, and have been exploring fixing that data security vulnerability for the last several months. But the legacy IT system we have been operating on for the past decade or more makes the transition very difficult and costly. And because we are embarking on a total overhaul of our IT systems, which will include moving to encrypted data storage within the next several months, we chose not to invest in our current system and then promptly replace it with a new system. In hindsight, we regret that decision as we should have encrypted data on our old system with absolute urgency. We are very sorry for this mistake."
USA Cycling learned of the incident on March 16.
The affected data includes names, mailing addresses, email addresses, dates of birth, emergency contacts, and USA Cycling passwords.
Results and rankings are unaffected, and no data was modified during the breach, the organization said.