The National Football League is implementing stricter information security protocols following a high-profile breach of prospect contact data during last year's draft process, signaling how institutional oversight failures can force regulatory tightening across entire industries.
One year ago, Shedeur Sanders became the subject of a viral prank call after his phone number was accessed without authorization during the draft. As Sanders slid down the draft board in April 2025, he was prank called by Jax Ulbrich, the son of Atlanta Falcons defensive coordinator Jeff Ulbrich, who wrote down Sanders' phone number from his father's open iPad while visiting home. The moment unfolded live during Sanders' draft party, as he received a call from someone impersonating New Orleans Saints GM Mickey Loomis before the No. 40 overall pick.
The Security Failure
The incident exposed a fundamental breakdown in data governance within NFL operations. Jeff Ulbrich acknowledged the severity of the lapse at a news conference at the Falcons' facility, stating, "My actions of not protecting confidential data were inexcusable." He added, "My son's actions were absolutely inexcusable, and for that we are both deeply sorry." Ulbrich further committed: "I promise my son and I will work hard to demonstrate we are better than this."
The consequences for the Falcons organization were substantial. The NFL fined the Falcons $250,000, while Ulbrich personally was docked $100,000—a financial penalty underscoring the league's determination to enforce accountability for information security breaches.
New Access Restrictions
In response, the NFL is now limiting access to prospect contact information to a single designated individual within each franchise. According to an NFL spokesman, "The relevant contact information will be provided by the league to a single point of contact at the club in football operations." The spokesman further emphasized that "This individual will be responsible for safeguarding the numbers."
This centralization of information access represents a deliberate shift toward concentrated accountability—a model predicated on the principle that fewer access points reduce vulnerability to both negligence and intentional breaches. By designating one person per organization as the custodian of sensitive prospect data, the league is betting that individual responsibility will prove more effective than distributed access protocols.
Draft Context
The prank call occurred as Sanders waited to learn his draft fate. The New Orleans Saints, who owned the No. 40 overall pick and were among teams in the quarterback market, ultimately selected Louisville's Tyler Shough in the second round rather than Sanders. Other quarterback-needy teams moved quickly: the Tennessee Titans selected Cam Ward with the No. 1 pick, and the New York Giants selected Jaxson Dart at No. 25. Sanders would eventually be taken in the fifth round by the Cleveland Browns, who had also selected Oregon's Dillon Gabriel in the third round.
Why This Matters:
The NFL's response reflects a broader institutional lesson: when private organizations fail to police themselves through internal controls, external regulation becomes inevitable. The league's decision to concentrate information access illustrates how a single security failure can necessitate structural changes across an entire industry. For organizations managing sensitive personal data, the case demonstrates that inadequate internal protocols carry real financial costs—the $350,000 in combined fines represents only the direct penalty, not accounting for reputational damage or operational disruption. The shift toward single-point-of-contact accountability also raises questions about scalability and whether centralized control actually improves security or simply creates new bottlenecks. From a governance perspective, this incident underscores that individual responsibility and clear chains of custody matter more than elaborate systems when human judgment remains the ultimate safeguard.