NCC Group and Phoenix Sport & Media Group recently published the results of quantitative and qualitative research on the current state of cyber security in the world of sports.
The report, titled "The Hidden Opponent: Cyber Threats in Sport," helps sports and leisure organizations understand their levels of cyber security vulnerability and exposure. It also guides professionals on how to minimize risks, and draws attention to several critical areas, including:
- The vast number of methods a cybercriminal can use to exploit a club or personality.
- The varied impact of a cyber attack, from disruptions to systems to data exfiltration, financial loss to reputational damage.
- A lack of resources, including skilled cyber security professionals, is a huge challenge. A lack of funding is explicitly impacting preparedness, too.
- An inadequacy of internal cyber incident response and investigation measures, with many organizations uncertain about the processes and procedures to follow.
As a passionate football fan and incident response specialist, that last finding caught my attention. It is concerning to read that incident response capabilities are lacking across the industry.
At NCC Group, we know first-hand how cybercriminals take advantage of poor defenses and deliver nefarious malware to encrypt data and cripple operations. We also recognize that sport plays a massive part in our society; so many communities rely on the income and health benefits it brings to their local area.
The report found that large organizations would struggle to recover from an attack. But what about a smaller club or community leisure center? How will they cope with ever-evolving ransomware attacks when most have limited resources?
Our purpose at NCC Group is to create a more secure digital future. By sharing our findings and working with the sports sector, we want to keep as many vulnerable organizations safe from some of the most dangerous cyber threats as possible.
How has the sporting world been affected by cyber threats?
Let us delve into three scenarios where the sporting industry has faced its ‘hidden’ opponent: threat actors.
1. Gone phishing for a transfer
Business Email Compromises (BECs) are prevalent across all industries. The impact of a BEC can be very costly, like in one example where a Premier League managing director’s email was hacked, leading to the club nearly losing around £1m in what was believed to be a legitimate transfer negotiation.
The financial repercussions of this incident may not have been as dire as it could have been, but what is the relationship between those two clubs like now? Have both clubs secured their transfer processes? These same questions can be asked in the case of the Italian football club Lazio, which was phished and ended up paying £1.75 million to threat actors posing as agents from Feyenoord.
Additionally, the NCSC reports that an organization holding athlete performance data was subject to a BEC. A staff member received an unusual autoreply from a colleague, prompting them to report it to the IT department.
It was found that email accounts had been compromised, and emails were auto-forwarded to external email accounts. It should be noted that multi-factor authentication (MFA) had yet to be implemented for Office 365, highlighting the importance of enabling MFA across your estate.
The Information Commissioner’s Office was notified that approximately 10,000 emails- some containing personal data- had been sent to the external email accounts. This incident cost the organization in various ways, such as having to divert internal resources and being unable to retrieve answers of how the attack occurred due to the lack of forensic evidence.
On top of this, over 100 individuals were contacted as their sensitive data had been stolen. These types of attacks significantly impact an organization’s reputation.
Phishing and BECs are prevalent and such attacks do not appear to be slowing down. From the more recent 'I can’t believe he is gone' Facebook phishing campaigns to the classic ‘A file has been shared with you’, the world is continually battling phishing attacks.
With the implementation of generative AI, phishing attacks only look to become more sophisticated which is concerning when major sporting events such as the 2022 FIFA World Cup are already exploited by threat actors to distribute phishing campaigns.
Thinking constantly about the end user, we should assume that a malicious link will, at some point, get clicked. With this mindset, how, then, can this attack be mitigated? Natural language processing and machine learning are existing technical approaches for phishing detection, with new detection solutions proposed regularly.
Other mitigations include implementing email filters and the authentication methods SPF, DKIM, and DMARC. However, reducing the risk of phishing or a BEC requires a combination of technical and non-technical solutions, with education still vital. Look out for the traditional signs of a phishing email, and if you’re not sure about an email, report it to your IT team or phone the sender to check whether the email they sent is legitimate. Otherwise, many times, phishing attacks can lead to ransomware.
2. Don’t drop the ball; ransomware is rife
Ransomware is everywhere. It targets any industry, and the world of sport is no exception. For example, the notorious ransomware group LockBit, known for attacking the UK’s Royal Mail, Boeing, and Continental, targeted The Royal Dutch Football Association (KNVB) in 2023, claiming to have exfiltrated 305GB of data.
Another example includes the San Francisco 49ers, who in February 2022 were hit by BlackByte ransomware, which led to the disruption of certain systems on their corporate IT network and BlackByte claiming they had exfiltrated data.
The 49ers ended up settling a class action lawsuit stemming from the ransomware attack. Creating a new role to manage IT and cyber security duties was also part of the proposed settlement, highlighting the criticality of employing the necessary personnel to maintain an organization’s incident preparedness. This example illustrates the legal and financial repercussions of an incident.
But what would be the consequences of ransomware hitting a smaller sports club? Let’s take a look below.
If only detection tools had been properly utilized to stop the ransomware in its tracks and ensure revenue and opportunities to generate revenue were not lost.
Preventing ransomware requires visibility of the entirety of your digital estate and a defense in depth strategy, as highlighted in the recommendations in a recent blog written by our DFIR team, "How to Defend your Organization Against Prominent Ransomware Crime Families."
Responding to ransomware necessitates having tried and tested processes in place. You wouldn’t buy a car without knowing if it works. This same approach can be applied in incident response.
You wouldn’t rely on incident response processes without knowing if they work, and a great way to make sure is to run a simulated cyber attack and incident response exercise.
3. Even in the big leagues, data is breached
Threat actors will employ techniques to steal data from a network such as exfiltrating data via a command-and-control channel or uploading data to cloud storage.
Any cyber attack, including phishing and ransomware, can result in a data breach. This is seen in the case of Horizon Actuarial Services LLC, who in 2021 were hit by ransomware which affected their Major League Baseball Players Benefit Plan. This resulted in MLB players and their family members’ data being stolen.
Moreover, in 2023, luxury sports and racing car manufacturer Ferrari disclosed a data breach after receiving a ransom demand. It was revealed that customer information such as names and addresses had been exposed, and as a result, customers were notified.
Preventing data exfiltration requires a change in how we protect data and how we consume it. We store unprecedented amounts of data across our laptops, mobile, and email accounts. Therefore, we need to go back to basics, which includes data encryption.
Enabling BitLocker on Windows-based devices is an easy option for ensuring the protection of data-at-rest and adopting secure transfer protocols for data-in-transit. It is not just about how data is stored, though, but where it is stored.
Bring your own device is still a popular option for users; however, unmanaged devices significantly increase the risk of data exposure. Managed devices allow organizations greater control of their data, only allowing the necessary people to access it.
Additionally, data loss prevention solutions look to prevent sensitive data from leaving an organization whether through accidental leakage or the work of a threat actor. It should be noted, though, that not all data breaches are the result of threat actors. This was the case for The Royal Dutch Tennis Association, who were fined €525,000 in 2020 for selling personal data of more than 350,000 of its members to sponsors.
Do you go to match or race day without a plan?
As highlighted in our Cyber in Sport research, without a cyber security benchmark in this industry, how is it that the world of sport should now respond?
Understand your environment
If you were playing a game, you wouldn’t blindly throw or kick the ball in any direction and hope it reaches one of your teammates; you would assess your surroundings. This approach is the same for incident preparedness, and there are numerous ways in which you can assess your surroundings:
- Threat Assessments allow you to understand if your defenses in place are adequate or if a compromise has already occurred.
- Threat Modeling helps you to identify threat vectors and understand your current security posture, ensuring every component of your systems has been thoroughly analyzed.
- Attack Path Mapping brings to light your entire attack surface across your network and helps you to visualize how a real-world attacker would compromise your organization. Focusing on your susceptibility to threats allows you to begin playing defense.
- Risk Assessments enable you to evaluate your organization’s cyber risk posture taking into consideration vectors including but not limited to system vulnerabilities, encryption, and sensitive data identification. You wouldn’t field a player who is injured so don’t use a device that is vulnerable or uncompliant.
Exercise your defense
Plan for an attack and develop an incident response playbook. This describes the roles and responsibilities of those directly involved in managing specific cyber incidents and should be regularly reviewed and tested.
Running incident simulations is a great activity to test your incident preparedness and provide an opportunity to address likely scenarios such as phishing or losing an unmanaged device.
Security is everyone’s responsibility, and it is critical to involve legal and communications, as well as C-suite and security teams, in your incident planning and response strategy.
Become ready for anything
Contact one of our experts today to discuss your incident planning and response strategy.