The Olympic Games, the FIFA World Cup, and the Super Bowl are just a few examples of iconic sporting events that showcase the global significance of the professional sports industry. But while professional sports stir passion and emotion among fans, cybercriminals couldn’t care less about the competitive aspects of sports or the feeling of community with fellow fans. Instead, they will relentlessly attempt to exploit the industry’s reach and resources in a bid to line their pockets with ill-gotten gains.
This stark reality is reflected in data. According to a 2020 survey for the United Kingdom’s National Cyber Security Centre (NCSC), which we also covered here, a staggering 70% of the sports organizations had experienced at least one cyber-incident or harmful cyber-activity. This, by the way, far surpassed the figure (32%) for general UK businesses. With the European sports industry alone accounting for over 2% of the continent’s GDP, the stakes are undeniably high.
As anticipation builds for the upcoming 2024 Summer Olympics in Paris, let’s look at 10 cases where sports organizations fell victim to cyberattacks.
1. BEC playbook
The aforementioned NSCS report singled out Business Email Compromise (BEC) fraud as the biggest threat to sports organizations. To help drive the point home, it detailed an incident where the email account belonging to the managing director of an undisclosed Premier League club was compromised amid a £1 million (US$1.3 million) player transfer negotiation.
The spear phishing attack lured the victim to a bogus Office 365 login page where he unknowingly surrendered his login credentials. The criminals then went on to attempt to pull off a BEC scam worth the amount above, but fortunately, the bank stepped in at the eleventh hour and thwarted the scheme.
Another prominent soccer club, Italy’s Lazio Rome, seemed less lucky, however. According to reports from 2018, Lazio was tricked into paying a transfer fee worth $2.5 million to a bank account under scammers’ control.
2. Kneecapped by ransomware
In November 2020, Manchester United fell victim to a ransomware attack that disrupted the club’s digital operations. As is common with ransomware attacks, the criminals demanded a ransom payment in exchange for decrypting the data and restoring access to the club’s computer systems.
Man U quickly took its systems offline to mitigate the damage and stop the ransomware from spreading further across the network. They also engaged with cybersecurity experts and law enforcement agencies to investigate the incident and determine its extent. Eventually, Man U contained the attack and restored its systems without paying the ransom fee.
Staying on the topic of ransomware attacks, the San Francisco 49ers, one of the NFL’s most popular franchises, announced in 2022 that the sensitive information of 20,000 employees and fans had been compromised during a ransomware attack earlier that year. Interestingly, the organization agreed to compensate the victims.
RELATED READING: Sports data for ransom – it’s not all just fun and games anymore
3. Olympic malware
The opening ceremony for the 2018 Winter Olympics in PyeongChang, South Korea was crashed by an unexpected guest – Olympic Destroyer malware. The malicious software hit the event’s IT infrastructure, disrupting operations during the ceremony and causing chaos for spectators. Among other things, it shut down Wi-Fi hotspots and telecasts and stopped spectators from attending the event.
The attack systematically erased critical information on affected Windows systems. Moreover, the malware sought out network locations to further propagate, compounding the damage across connected devices. Additionally, Olympic Destroyer had the ability to install sophisticated software designed to surreptitiously capture passwords.
The attack, variously attributed to Sandworm and Fancy Bear APT groups, primarily targeted the event’s official website, the servers of ski resorts hosting the Olympic contests, and two IT service providers who managed the event’s technical infrastructure. The incursion ultimately threw into sharp relief the vulnerability of high-profile sporting events to cyberthreats.
4. Your medical history is now public
Olympic Destroyer was not the only case where a cyber-espionage group targeted a prominent international sports organization. In 2016, the World Anti-Doping Agency (WADA) suffered a serious data leak that exposed the medical information of a number of global sports personalities.
The incident, whose victims included tennis players Venus and Serena Williams and gymnast Simone Biles, exposed athletes’ Therapeutic Use Exemptions (TUEs), which allow them to use prohibited substances or methods as long as they were prescribed to treat legitimate medical conditions.
WADA attributed the attack to the Fancy Bear group and said that the breach not only undermined the integrity of WADA's TUE program, but also threatened the agency’s broader mission of preserving the fairness and cleanliness of sports.
5. A basketful of data
In March 2023, the National Basketball Association (NBA) issued an alert about a data breach at one of its external mail service providers, resulting in the theft of fans’ names and email addresses. While the NBA's systems remained uncompromised, the incident underscored the vulnerability of third-party service providers to cyberthreats.
In the statement about the incident, recipients were advised to remain vigilant against potential phishing and social engineering attacks that could exploit the stolen information. The NBA assured users that their usernames and passwords were not compromised. Nonetheless, the organization activated its incident response protocols and conducted a thorough investigation to analyze the incident further.
While the NBA's own systems were not breached, the compromise of a third-party newsletter service provider led to the theft of people’s information. This breach underscored the importance of ensuring the security of all components within an organization's ecosystem, as well as the security posture of external service providers. Strengthening cybersecurity measures and establishing robust protocols for monitoring and responding to incidents are essential for mitigating the impact that such breaches can have on organizations and their customers.
6. Houston, we have a problem
The iconic phrase “Houston, we have a problem" resurfaced in April 2021, when the Houston Rockets fell victim to a cyberattack at the hands of the gang behind the Babuk ransomware.
This attack had severe implications for one of the NBA’s most prominent teams, with the attackers claiming responsibility for leaking over 500 GB of confidential information, including sensitive data such as player contracts, customer records, and financial details.
While the Babuk ransomware may not rank among the most sophisticated ransomware strains, its impact was significant. The attack went on to pose a risk for organizations in other sectors, including healthcare and logistics. Such incidents highlight the indiscriminate nature of cyberthreats and the urgent need for robust cybersecurity measures across all industries.
7. No escape
Let’s stay on the topic of cyberattacks hitting the world of basketball for a minute. In a basketball game, the end of a quarter is signaled by the sound of a buzzer. In October 2023, a different kind of buzzer sounded for the French basketball team ASVEL – it signaled a data breach orchestrated by the NoEscape ransomware gang.
The team acknowledged the attack, lamenting the exfiltration of 32 GB of sensitive data, including player information such as passports and identity documents, contracts, confidentiality agreements, and other legal documentation.
8. A Real incident
Let’s circle back to soccer now. All the poise that the Real Sociedad soccer club showed on the pitch amid promising prospects in both the Champions League and Spain’s La Liga was abruptly disrupted on October 18th, 2023, when the club issued a terse statement to announce that it had fallen victim to a cyberattack.
This incident compromised servers storing sensitive data, including names, surnames, postal addresses, email addresses, telephone numbers, and even bank account details of subscribers and shareholders.
In response, the club advised the victims to monitor their accounts for any suspicious activity. Additionally, they established an email communication channel for affected individuals to seek further assistance or clarification.
9. Boca in the crosshairs
Club Atlético Boca Juniors, based in Buenos Aires, Argentina, boasts global recognition. However, its wide acclaim did not deter cybercriminals from targeting the club – quite the opposite.
On September 16th, 2022, Boca Juniors fell victim to an attack that compromised its official YouTube account. The attackers seized control of the channel and proceeded to disseminate information promoting Ethereum cryptocurrency, indeed a rather typical cryptocurrency scam.
In response to the breach, Boca Juniors promptly issued an official statement via Twitter (now X), reassuring fans and stakeholders of their swift action to restore control over the compromised account. Within a matter of hours, the club successfully restored its online presence.
10. An own goal?
An attack against the Royal Dutch Football Association (KNVB) in April 2023 resulted in the theft of confidential data belonging to the organization’s employees and members. The incident, which was attributed to the notorious LockBit ransomware gang, was confirmed by the KNVB, which is an umbrella organization for the country’s professional soccer leagues.
The breach impacted a variety of victims, including parents of junior players, international players, professionals from 2016-2018, contacts of the KNVB Sports Medical Center, and individuals involved in the organization’s disciplinary matters from 1999-2020.
Scams preying on us all
There are also a number of cautionary tales to show that the non-athletes among us are also a juicy target for cybercrime.
For example, as the quadrennial spectacle that is the FIFA World Cup draws billions of viewers globally, scammers view it as a prime opportunity to ensnare new victims. Unsurprisingly, World Cup-themed scams are a recurring problem that often deceive recipients into believing they had won tickets to the event or lure them to websites that download malware on their devices. We’ve previously also looked at a campaign that duped unsuspecting WhatsApp users with the lure of free soccer jerseys.
Conclusion
Just like any other industry, professional sports is catnip for cyberattackers. The cautionary tales highlighted here represent just a fraction of the barrage of daily attempted cyber-intrusions. It’s imperative for the sports industry to maintain vigilance, akin to “keeping one’s eye on the ball”, and to continue to watch out for threats in the online realm as cyber-adversaries aren’t going to stop launching new and increasingly complex attacks.
