The Olympic Games, FIFA World Cup and Super Bowl are just a few examples of iconic sporting events that demonstrate the global importance of the professional sports industry.
But while professional sports inspire passion and emotion among fans, cybercriminals couldn’t care less about the competitive aspects of the sport or the feeling of community with other fans. Instead, they will relentlessly seek to exploit the industry’s reach and resources in an attempt to line their pockets with ill-gotten gains.
This stark reality is reflected in the data. According to a 2020 survey conducted by the UK’s National Cyber Security Center (NCSC), which we also covered here, a staggering 70% of sports organizations have experienced at least one cyber incident or malicious cyber activity. This, by the way, far exceeded the figure (32%) for UK general businesses. Given that the European sports industry alone represents more than 2% of the continent’s GDP, the stakes are undeniably high.
As anticipation grows for the upcoming 2024 Summer Olympics in Paris, we take a look at 10 cases where sports organizations have fallen victim to cyber attacks.
1. BEC practical guide
The aforementioned NSCS report identified Business Email Compromise (BEC) fraud as the biggest threat to sports organizations. To help make the point, he detailed an incident in which the email account belonging to the chief executive of an undisclosed Premier League club was compromised during a £1 million player transfer negotiation ( 1.3 million dollars).
The spear phishing attack lured the victim to a fake Office 365 login page where they unknowingly surrendered their login credentials. The criminals then attempted to pull off a BEC scam of the above value, but fortunately the bank intervened at the eleventh hour and foiled the plan.
Another important football team, Lazio Roma, seemed less fortunate. According to reports from 2018, Lazio was tricked into paying a transfer fee worth $2.5 million into a bank account under the control of the scammers.
2. Kneeling from ransomware
In November 2020, Manchester United was the victim of a ransomware attack that disrupted the club’s digital operations. As often happens with ransomware attacks, the criminals demanded the payment of a ransom in exchange for decrypting the data and restoring access to the club’s computer systems.
Man U quickly took its systems offline to mitigate the damage and prevent the ransomware from spreading further across the network. They also worked with cybersecurity experts and law enforcement to investigate the incident and determine its scope. Ultimately, Man U contained the attack and restored its systems without paying the ransom fee.
Continuing the topic of ransomware attacks, the San Francisco 49ers, one of the NFL’s most popular franchises, announced in 2022 that the sensitive information of 20,000 employees and fans had been compromised during a ransomware attack earlier that year. Interestingly, the organization agreed to compensate the victims.
RELATED READING: Sports data for ransom: It’s no longer just fun and games
3. Olympic Malware
The opening ceremony of the 2018 Winter Olympics in PyeongChang, South Korea, was crashed by an unexpected guest: the Olympic Destroyer malware. The malicious software affected the event’s IT infrastructure, disrupting operations at the ceremony and causing chaos among spectators. Among other things, it blocked Wi-Fi hotspots and television broadcasts and prevented spectators from attending the event.
The attack systematically deleted critical information on affected Windows systems. Additionally, the malware sought locations across the network to propagate further, compounding the damage across all connected devices. Additionally, Olympic Destroyer had the ability to install sophisticated software designed to surreptitiously capture passwords.
The attack, variously attributed to the Sandworm and Fancy Bear APT groups, primarily targeted the event’s official website, the servers of the ski resorts hosting the Olympic competitions and two IT service providers that managed the technical infrastructure of the ‘event. The incursion ultimately threw into sharp relief the vulnerability of high-profile sporting events to cyber threats.
4. Your medical history is now public
Olympic Destroyer was not the only case in which a cyber espionage group targeted a major international sports organization. In 2016, the World Anti-Doping Agency (WADA) suffered a major data leak that exposed the medical information of numerous global sports personalities.
The incident, whose victims included tennis players Venus and Serena Williams and gymnast Simone Biles, exposed athletes’ therapeutic use exemptions (TUEs), which allow them to use prohibited substances or methods as long as they have been prescribed to treat medical conditions legitimate.
WADA attributed the attack to the Fancy Bear group and said the breach not only undermined the integrity of WADA’s TUE program, but also threatened the agency’s broader mission of preserving the fairness and cleanliness of sport.
5. A basket of data
In March 2023, the National Basketball Association (NBA) issued a notice regarding a data breach at one of its external email providers, resulting in the theft of fans’ names and email addresses. While the NBA’s systems remained intact, the incident highlighted the vulnerability of third-party service providers to cyber threats.
In the statement on the incident, recipients were advised to remain vigilant against potential phishing and social engineering attacks that could exploit the stolen information. The NBA assured users that their usernames and passwords were not compromised. Nonetheless, the organization activated its incident response protocols and conducted a thorough investigation to further analyze the incident.
While the NBA’s systems were not breached, the compromise of a third-party newsletter service provider led to the theft of people’s information. This breach highlighted the importance of ensuring the security of all components within an organization’s ecosystem, as well as the security posture of external service providers. Strengthening cybersecurity measures and establishing robust protocols for monitoring and responding to incidents are essential to mitigating the impact such breaches can have on organizations and their customers.
6. Houston, we have a problem
The iconic phrase “Houston, we have a problem” resurfaced in April 2021, when the Houston Rockets fell victim to a cyberattack at the hands of the gang behind the Babuk ransomware.
This attack had serious implications for one of the NBA’s most prominent teams, with the attackers claiming responsibility for the leak of more than 500 GB of confidential information, including sensitive data such as player contracts, client records and financial details.
Although the Babuk ransomware is not among the most sophisticated ransomware strains, its impact has been significant. The attack continued to pose a risk to organizations in other industries, including healthcare and logistics. Such incidents highlight the indiscriminate nature of cyber threats and the urgent need for robust cybersecurity measures across all industries.
7. Don’t run away
Let’s stay on the topic of cyber attacks affecting the world of basketball for a moment. In a basketball game, the end of a quarter is signaled by the sound of a siren. In October 2023, a different alarm bell rang for the French basketball team ASVEL: it reported a data breach orchestrated by ransomware group NoEscape.
The team acknowledged the attack, complaining that 32 GB of sensitive data had been exfiltrated, including player information such as passports and identification documents, contracts, confidentiality agreements and other legal documentation.
8. A real accident
Now let’s get back to football. All the balance that the Real Sociedad football team showed on the pitch among the promising prospects of both the Champions League and the Spanish La Liga was suddenly interrupted on October 18th2023, when the club released a terse statement to announce that it had been the victim of a cyber attack.
This incident compromised servers that stored sensitive data, including names, surnames, postal addresses, email addresses, telephone numbers and even bank account details of subscribers and shareholders.
In response, the club advised victims to monitor their accounts for any suspicious activity. Furthermore, they have created an email communication channel so that interested people can ask for further assistance or clarification.
9. Mouth in the sights
Club Atlético Boca Juniors, based in Buenos Aires, Argentina, boasts global recognition. However, its broad acceptance hasn’t stopped cybercriminals from targeting the club – quite the opposite, in fact.
September 16thth2022, Boca Juniors was the victim of an attack that compromised its official YouTube account. Attackers took control of the channel and spread information promoting the Ethereum cryptocurrency, indeed a typical cryptocurrency scam.
In response to the violation, Boca Juniors promptly issued a official statement via Twitter (X time), reassuring fans and stakeholders of their swift action to restore control over the compromised account. Within a few hours, the club successfully restored its online presence.
10. An own goal?
An attack against the Royal Netherlands Football Association (KNVB) in April 2023 resulted in the theft of confidential data belonging to employees and members of the organization. The incident, attributed to the infamous LockBit ransomware gang, was confirmed by the KNVB, which is an umbrella organization for the country’s professional football leagues.
The breach affected several victims, including parents of junior players, international players, professionals from 2016 to 2018, contacts of the KNVB Sports Medical Center and people involved in the organization’s disciplinary matters from 1999 to 2020.
Scams are a threat to us all
There are also a number of cautionary tales to show that even the non-athletes among us are an attractive target for cybercrime.
For example, as the quadrennial FIFA World Cup spectacle attracts billions of viewers around the world, scammers see it as a prime opportunity to snare new victims. Unsurprisingly, World Cup-themed scams are a recurring problem that often tricks recipients into believing they have won tickets to the event or lures them to websites that download malware onto their devices. We also previously looked at a campaign that tricked unsuspecting WhatsApp users with the lure of free football shirts.
Conclusion
Just like any other industry, professional sports is a prey for cyber attackers. The warnings highlighted here represent just a fraction of the barrage of daily cyber intrusion attempts. It is critical that the sports industry maintains vigilance, as if “keeping its eye on the ball,” and continues to pay attention to threats in the online realm as cyber adversaries will not stop launching new and increasingly complex attacks.