Blocked turnstiles, hacked transfer deals and fraudulent kit sales among cyber incidents against the sports sector according to the UK official National Cyber Security Centre (NCSC). The Centre’s first report on threats to the sports industry has shown it to be a high-value target – at least 70pc of institutions suffer a cyber incident every 12 months, more than double the average for UK businesses.
One incident revealed in the Cyber Threat to Sports Organisations report involved emails of a Premier League club’s managing director being hacked before a transfer negotiation. As a result, the £1m fee almost fell into the hands of cyber criminals. The MD clicked on a spearphishing email; and was diverted to a spoofed Office 365 login page where he entered his credentials, unwittingly passing his email address and password to (unidentified) criminals.
An English Football League (EFL) club suffered what the NCSC terms a significant ransomware attack which crippled their corporate and security systems. As a result of the attack the CCTV and turnstiles at the ground were unable to operate, almost leading to a fixture cancellation. The attack vector remains unknown, according to the report, ‘but the initial
infection was likely enabled by either a phishing email or remote access via the CCTV’. The cost of putting the attack right and damage ran into the hundreds of thousands of pounds.
The club found that its IT estate had grown organically and very few security controls were in place. Networks should be segmented to limit the impact of attacks. The club did not have an emergency response plan and had not conducted response exercises; and had not recognised how digital their business was, and cyber security investment was low. The club recruited a new IT manager.
The report sets out that sports bodies and tournaments can be targets for cyber-crime and mischief like any other business; and may have the same cyber-weaknesses as other places, such as unpatched systems and poor access control; yet at sporting venues, ‘security controls to protect stadium systems are less mature than those used for general business systems’.
In a separate case, a member of staff at a UK racecourse identified an item of grounds keeping equipment for sale on eBay, and agreed to a price of £15,000. The sale turned out to be fraudulent – a spoofed version of eBay had been created and the staff member was unable to recover the funds.
Paul Chichester, Director of Operations at the NCSC, said: “Sport is a pillar of many of our lives and we’re eagerly anticipating the return to full stadiums and a busy sporting calendar.
“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real. I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime.”
The NCSC has identified three common tactics used by criminals to assault the sector on a daily basis, which are: business email compromise (BEC), cyber-enabled fraud, and ransomware being used to shut down critical event systems and stadiums.
An Ipsos MORI survey was commissioned by the NCSC. It found that most sport businesses had digital records and networked systems such as CCTV, and turnstiles; they took and held sensitive personal data; most had online business systems and offered customers the opportunity to make bookings, payments or purchases via the internet.
For the full 26-page report visit the NCSC website.
Comments
Jeremy Hendy, CEO at threat intelligence firm Skurio, said: “Football clubs have well-developed resources and attitudes to physical risks, such as crowd safety and player security but they really haven’t all caught up with the digital world.”
Stuart McKenzie, Senior Vice President of Mandiant Services EMEA at FireEye said that the risk to sporting organisations should be high on their risk register, but in all likelihood, it’s under prioritised, which is concerning as the huge amount of revenue that many of them generate means they are a very lucrative target. “Aside from financially motivated attacks, major sporting events such as the FIFA World Cup and the Olympics present a high profile opportunity for nation-state attackers to embarrass host nations. Events such as these are key political tactics to disrupt competitions and cast doubt on the host nation’s technical ability to host these major events.”
Adenike Cosgrove, Cybersecurity Strategy, International at Proofpoint recalled how in 2018, Lazio football club lost £1.75m to an email scam, transferring money to fraudsters; we can expect these types of attacks to continue, he said.
“To protect against email fraud, the UK government has mandated the email authentication standard, DMARC, for all public sector organisations – private companies and sports authorities should follow suit. Additionally, and especially at a time when employees are working remotely, ongoing cyber security awareness and education training should be a priority and treated as a long-term initiative considering the new realities that are reshaping the corporate workforce.”
And Jonathan Knudsen, Senior Security Strategist at Synopsys, said that the narrowly avoided theft of nearly £1m from a football club was hardly surprising, but served to highlight some truths.
“First, every organisation is a software organisation. Every organisation either creates software or uses it, and many do both. Consequently, all organisations must embed software security into their culture. Security cannot be bolted on to existing processes and systems. Responsibility for security cannot be assigned to a single group within an organisation, but must be part of how everyone goes about their daily business.
“Finally, as organisations gradually get smarter about how they approach software security, attackers shift their attention from the software to the humans operating the software. The attempted theft at the football club was enabled by compromising the credentials of the club’s managing director, which was likely accomplished through social engineering.”
