For Cybercriminals, the Game is On and They’re Playing to Win
Why Football Clubs Need to Up their Cyber Defence
By Ravi Pather, VP, Europe and Middle East, Ericom Software
Our fascination — and for many, obsession — with sports in general and European football, in particular, is fed by the inspiring skill, physical strength, teamwork, and speed that top-tier athletes bring to their games. And, of course, the fierce competitiveness typified by football (or soccer, if that’s how you roll.)
Regardless of which name you prefer, it’s the most popular, most watched and most avidly supported sport in the world, with an estimated 4 billion fans in over 200 countries. Competition is intense between teams, their fans (a shortened form of “fanatic,” which is particularly fitting, in this context), regions, countries and even continents. A continuous stream of news about league competitions, cup tournaments, top goal scorers, transfer targets and more drive avid engagement with anything relating to “your” club and the league in which it plays.
Football is a huge business as well. Top-level clubs are high-profile, multibillion-euro businesses that have as much — or more — in common with global entertainment industry players as they do with the football clubs of just a few decades ago. Players are stars, receiving wages of millions of euros each year, along with sponsorship deals and astronomical transfer fees, should they be traded. Media rights, licensing deals, and sponsorships bring enormous sums into the clubs.
Today, Football is a Technology Play
As is true for most businesses today, the success of modern football clubs depends to a significant degree on the technology that supports virtually every aspect of their operations. Business managers, scouts, back-office staff, medical staff, players, trainers, coaches, event management teams, lawyers and myriad other users rely on powerful systems and applications to manage training routines, player line-ups and performance assessments, payroll, and online ticket sales. Many teams also operate the facilities where they train and play, depending on applications to manage stadium infrastructure such as turnstiles, CCTV, and streaming games online. Disruption of any of those functions could cost the clubs dearly in lost revenue and fan confidence.
Apps the clubs use hold massive amounts of sensitive data, including statistics on player performance, medical and financial records, scouting data and information about trades being considered; supporters’ credit card data, contact info and PII; and financial details about suppliers, sponsorship and licensing deals and much more.
Simple, secure access to applications and the data they house is essential, from wherever users are working — in the office, at home, or on the road — as is assurance that confidential information will not be pirated or exposed.
Football Clubs are in Hackers’ Crosshairs
At first glance, few people would group football clubs with banks, healthcare organisations and government agencies as attractive targets for cyberattacks. But in truth, as high-profile, data-driven and exceptionally profitable businesses, football clubs have significant digital footprints, vulnerable attack surfaces and a wealth of attractive, marketable data that can be quickly and easily monetised by cybercriminals. In short, they have everything a cybercriminal could want.
Due to the clubs’ high public profiles, the huge financial stakes involved in every decision they take, and the ease with which stolen data can be rapidly monetised, football teams are exceptionally valuable and sought-after targets for cybercriminals and organised crime. Knowing that large sums are set to change hands during periods such as transfer windows, savvy cyber criminals may focus their efforts on hacking into management email accounts to make some quick money via ransoms or business email compromise (BEC) fraud.
Football clubs are growing more aware of the damaging impact data breaches can have, including brand and reputational damage, and exfiltration and exposure of sensitive data, such as transfer targets and offers being considered and other confidential matters.
In today’s interconnected, digitally fuelled world, securing and protecting data and resources while enabling easy access for authorized users is one of the most essential back-office challenges that modern football clubs face. Cyber defence strategies are as crucial to clubs’ business success as football defence strategies are to their success on the pitch.
Premier League Teams are Falling for League Two Attacks
A quick look at some recent high-profile and high stakes cyberattacks on European football clubs indicates that too many are relying on outdated perimeter-based security approaches and underinvesting in modern cyber defence. Today, with users accessing club data and systems from wherever they are, and business partners tapping into club apps, the perimeter is obsolete — as are many legacy security solutions.
Attacks on football clubs are primarily criminal in nature and motivated by financial gain, although a number have been breaches by clubs seeking competitive information.
According to a survey of 57 sports organisations commissioned by the UK National Cyber Security Centre (NCSC) and discussed in The Cyber Threat to Sports Organisations report, 75% of organizations reported receiving fraudulent emails, text messages or phone calls, and 61% reported that employees were directed to fraudulent websites. These activities are often criminals’ first steps in executing business email compromise (BEC) attacks, which represents the largest threat to sports organizations. They are also common channels for executing cyber-enabled fraud and delivering ransomware, the second and third most dominant types of cyberattacks in the sector.
Attacks on football clubs mostly focus on financial fraud, yet organisations have been directing the lion’s share of their efforts to personal data protection, driven by GDPR compliance requirements. This prioritization of compliance risk is confirmed by survey responses regarding the reasons for wanting to reduce cyber risk: 53% of respondents cited personal data protection, while only 2% mentioned preventing fraud or theft.
Football Clubs’ Defences are Down
According to the NCSC survey, 70% of Britain’s sports institutions suffered a cyber incident in the 12-month period covered, more than twice the average for other businesses. Almost 1/3 of those incidents resulted in financial damage, with costs averaging €11,000 per incident and ranging up to 10x that sum.
Recent attacks on football clubs include:
- In November 2020, Manchester United, a publicly listed corporation that was valued at roughly €3.2 billion at the time, announced that it had suffered a cyberattack. Although the club declined to publicize details about the attack, email systems and mobile apps were shut down for over a week and news reports claimed that hackers had gained access to scouting data, including information about players being considered by the club. Experts speculated that a click on a phishing email was likely to have set the breach in motion.
- In a 2018 BEC attack, criminals stole €1.6 million by hacking the email account of a Florentina Italian Serie A football club official and intercepting rights payments from a streaming platform that broadcast Florentina games.
- Personal information of West Ham English Premier League football club supporters was accidentally exposed to other fans who were attempting to log into their own accounts on the club website. The leak was the result of an application security vulnerability — most likely, a configuration error — rather than a breach.
- Italian football club Lazio was scammed into sending €2 million to the account of a cybercriminal who claimed to represent the team negotiating payment for a player’s transfer. In a similar scam, a Premier League transfer deal was almost hijacked by a cybercriminal who comprised the email account of the club’s managing director. Fortunately, in that case, the bank noticed something suspicious about the funds transfer and blocked the theft.
Finding the Right Coach for the Job
According to the NCSC, successful attacks on sports organizations result from poor implementation of security controls, weak password policies, unpatched software and human frailty. Research conducted by SecureScorecard cited similar findings: The most common security issues included weak encryption, web application issues, patching issues and susceptibility to email spoofing.
Revealingly, the audit found an inverse relationship between clubs’ football success and their success in managing digital exposure and risk. Here’s why: Cybersecurity is most often managed by general IT or security teams rather than by dedicated cybersecurity specialists, with decisions made at the board level. It stands to reason that executives with the greatest expertise in building and maintaining winning football clubs may have less expertise in building strong cyber defences.
Without knowledgeable cybersecurity leadership, even basic security hygiene like multi-factor authentication and prompt patching may fall by the wayside.
Defence is Key, for Security as for Football
Today, almost exactly a decade since the Real Madrid website was hacked, it is clear that football clubs must up their cybersecurity game. Today, professional clubs have highly specialized managers, scouts, trainers and negotiating teams. It’s time that they protect their operations with professional-class, specialized security defence as well.
As distributed organizations with significant cloud-based digital resources and apps — and significant risk profiles — football clubs should adopt a flexible Zero Trust security approach that can grow with their needs. Adopting a modern Secure Access Security Edge (SASE) platform will enable the following essential protections, and more:
- Securing access to O365 and other business applications
- Protecting online assets from spoofing
- Eliminating vulnerability due to stolen passwords
- Securing digital resources from unmanaged device risk
- Eliminating over-privileged access
- Mitigating damage resulting from successful social engineering appeals
- Protecting web-facing app surfaces from view
Cloud-based SASE platforms are effective, comprehensive and easy-to-use solutions that can secure sensitive data and apps from attack and exposure and simplify access to the resources that football club stakeholders need to support club performance.
About the Author
Ravi is a member of the senior management team, responsible for Ericom’s Europe and Middle East regional go-to-market strategy, sales and marketing activities including channel partner development and sales. Most recently, in his 25-year career in security and compliance software, he has helped partners and enterprises select and implement enterprise class cyber security solutions leveraging cloud SaaS applications. Ravi has held executive positions at Perspecsys/Symantec and other companies. Ravi can be reached online at ravi.pather@ericom.com, LinkedIn, Twitter, and at https://www.ericom.com/.