Cyberattacks in Sports: A Growing Threat to High-Profile Organizations
The sports industry home to global spectacles like the Olympics, FIFA World Cup, and Super Bowl has become a prime target for cybercriminals. Unlike fans, attackers are indifferent to competition or camaraderie; they exploit the sector’s vast reach and financial resources for profit. A 2020 UK National Cyber Security Centre (NCSC) report revealed that 70% of sports organizations had experienced at least one cyber incident, far exceeding the 32% rate among general UK businesses. With the European sports industry contributing over 2% of the continent’s GDP, the stakes are high.
As the 2024 Summer Olympics in Paris approaches, recent attacks underscore the sector’s vulnerabilities. Here are 10 notable incidents demonstrating the breadth of threats:
1. Business Email Compromise (BEC) Scams
BEC fraud ranks as the top threat to sports organizations. In one case, a Premier League club’s managing director was tricked into entering credentials on a fake Office 365 login page during a £1 million player transfer. The bank intervened before funds were lost. Italy’s Lazio Rome wasn’t as fortunate scammers diverted a $2.5 million transfer fee in 2018.
2. Ransomware Disrupts Major Clubs
- Manchester United (2020): A ransomware attack forced the club to take systems offline, engaging experts and law enforcement to contain the breach without paying the ransom.
- San Francisco 49ers (2022): A ransomware attack exposed 20,000 employees’ and fans’ sensitive data, with the team compensating victims.
3. Olympic Destroyer Malware (2018 PyeongChang Games)
The 2018 Winter Olympics’ opening ceremony was disrupted by Olympic Destroyer, a malware strain that disabled Wi-Fi, telecasts, and ticketing systems. Attributed to APT groups Sandworm and Fancy Bear, the attack wiped data, stole passwords, and spread across connected networks, targeting the event’s website, ski resorts, and IT providers.
4. WADA Data Breach (2016)
The World Anti-Doping Agency (WADA) suffered a breach by Fancy Bear, exposing Therapeutic Use Exemptions (TUEs) for athletes like Serena and Venus Williams and Simone Biles. The leak undermined WADA’s integrity and raised concerns about the fairness of sports.
5. NBA Third-Party Breach (2023)
The NBA alerted fans to a breach at an external mail service provider, resulting in the theft of names and email addresses. While the NBA’s systems remained secure, the incident highlighted third-party vulnerabilities and the risk of follow-up phishing attacks.
6. Houston Rockets Hit by Babuk Ransomware (2021)
The Babuk ransomware gang leaked 500 GB of data, including player contracts, financial records, and customer details, from the Houston Rockets. The attack demonstrated how even less sophisticated ransomware can inflict severe damage.
7. ASVEL Basketball Team’s Data Breach (2023)
France’s ASVEL suffered a NoEscape ransomware attack, with 32 GB of data stolen, including player passports, contracts, and legal documents.
8. Real Sociedad’s Sensitive Data Leak (2023)
Spain’s Real Sociedad disclosed a breach exposing subscribers’ and shareholders’ personal and financial data, including bank account details. The club urged victims to monitor accounts for fraud.
9. Boca Juniors’ YouTube Hack (2022)
Argentina’s Boca Juniors had its official YouTube channel hijacked to promote a cryptocurrency scam. The club regained control within hours but faced reputational damage.
10. KNVB’s LockBit Ransomware Attack (2023)
The Royal Dutch Football Association (KNVB) fell victim to LockBit ransomware, compromising data from employees, junior players’ parents, medical contacts, and disciplinary records spanning decades.
Beyond Teams: Fans as Targets
Cybercriminals also exploit major events like the FIFA World Cup, deploying ticket scams, fake giveaways, and malware-laden websites to deceive fans. A 2022 campaign even used WhatsApp to lure victims with fake soccer jerseys.
These incidents reveal a relentless and evolving threat landscape, where attackers exploit financial transactions, third-party risks, and high-profile visibility. For the sports industry, cybersecurity is no longer optional it’s a critical defense against an adversary that never stops playing.
Source: https://www.welivesecurity.com/en/cybercrime/cybercriminals-play-dirty-10-cyber-hits-sporting-world/
S.S. Lazio cybersecurity rating report: https://www.rankiteo.com/company/sslaziospa
National Basketball Association (NBA) cybersecurity rating report: https://www.rankiteo.com/company/national-basketball-association
OR Royalties cybersecurity rating report: https://www.rankiteo.com/company/or-royalties
"id": "SSLNATOR-1780945453",
"linkid": "sslaziospa, national-basketball-association, or-royalties",
"type": "Breach",
"date": "1/2016",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Sports',
'location': 'UK',
'name': 'Premier League Club',
'type': 'Football Club'},
{'industry': 'Sports',
'location': 'Italy',
'name': 'Lazio Rome',
'type': 'Football Club'},
{'industry': 'Sports',
'location': 'UK',
'name': 'Manchester United',
'type': 'Football Club'},
{'customers_affected': '20,000 employees and fans',
'industry': 'Sports',
'location': 'USA',
'name': 'San Francisco 49ers',
'type': 'American Football Team'},
{'industry': 'Sports',
'location': 'PyeongChang, South Korea',
'name': '2018 Winter Olympics',
'type': 'Sports Event'},
{'customers_affected': 'Athletes (Serena Williams, '
'Venus Williams, Simone Biles)',
'industry': 'Sports',
'location': 'Global',
'name': 'World Anti-Doping Agency (WADA)',
'type': 'Sports Organization'},
{'customers_affected': 'Fans (names and email addresses '
'exposed)',
'industry': 'Sports',
'location': 'USA',
'name': 'NBA',
'type': 'Sports League'},
{'industry': 'Sports',
'location': 'USA',
'name': 'Houston Rockets',
'type': 'Basketball Team'},
{'industry': 'Sports',
'location': 'France',
'name': 'ASVEL',
'type': 'Basketball Team'},
{'customers_affected': 'Subscribers and shareholders',
'industry': 'Sports',
'location': 'Spain',
'name': 'Real Sociedad',
'type': 'Football Club'},
{'industry': 'Sports',
'location': 'Argentina',
'name': 'Boca Juniors',
'type': 'Football Club'},
{'customers_affected': 'Employees, junior players’ '
'parents, medical contacts',
'industry': 'Sports',
'location': 'Netherlands',
'name': 'Royal Dutch Football Association (KNVB)',
'type': 'Sports Organization'}],
'attack_vector': ['Phishing',
'Malware (Olympic Destroyer)',
'Third-Party Vulnerabilities',
'Ransomware',
'Credential Theft'],
'customer_advisories': ['NBA alerted fans about third-party breach',
'Real Sociedad urged victims to monitor accounts for '
'fraud'],
'data_breach': {'data_encryption': ['Ransomware attacks (Manchester United, '
'San Francisco 49ers, ASVEL, KNVB)'],
'data_exfiltration': ['500 GB (Houston Rockets)',
'32 GB (ASVEL)',
'Decades of records (KNVB)'],
'file_types_exposed': ['Contracts, passports, legal '
'documents, medical records'],
'number_of_records_exposed': ['20,000 (San Francisco 49ers)',
'500 GB (Houston Rockets)',
'32 GB (ASVEL)'],
'personally_identifiable_information': ['Names, email '
'addresses, bank '
'details, medical '
'records'],
'sensitivity_of_data': ['High (player contracts, medical '
'records, bank details)',
'Medium (names and email addresses)'],
'type_of_data_compromised': ['Player contracts',
'Financial records',
'Customer details',
'Player passports',
'Legal documents',
'Therapeutic Use Exemptions '
'(TUEs)',
'Names and email addresses',
'Bank account details',
'Medical records']},
'description': 'The sports industry, including global spectacles like the '
'Olympics, FIFA World Cup, and Super Bowl, has become a prime '
'target for cybercriminals. A 2020 UK National Cyber Security '
'Centre (NCSC) report revealed that 70% of sports '
'organizations had experienced at least one cyber incident, '
'far exceeding the 32% rate among general UK businesses. '
'Recent attacks, including those targeting the 2024 Summer '
'Olympics in Paris, highlight the sector’s vulnerabilities.',
'impact': {'brand_reputation_impact': ['WADA integrity undermined',
'Boca Juniors reputational damage'],
'data_compromised': ['20,000 employees’ and fans’ sensitive data '
'(San Francisco 49ers)',
'500 GB of data (Houston Rockets)',
'32 GB of data (ASVEL)',
'Personal and financial data (Real Sociedad)',
'Employee, player, and medical records '
'(KNVB)'],
'downtime': ['Opening ceremony disruption (2018 Olympics)',
'Systems taken offline (Manchester United)'],
'financial_loss': ['£1 million (attempted)',
'$2.5 million (Lazio Rome)',
'Ransom demands (undisclosed)'],
'identity_theft_risk': ['Fans and employees (San Francisco 49ers)',
'Subscribers and shareholders (Real '
'Sociedad)'],
'operational_impact': ['Player transfer delays',
'Ticketing system failures',
'Broadcast disruptions'],
'payment_information_risk': ['Bank account details (Real '
'Sociedad)'],
'systems_affected': ['Wi-Fi, telecasts, ticketing systems (2018 '
'Olympics)',
'Internal systems (Manchester United)',
'YouTube channel (Boca Juniors)']},
'lessons_learned': 'The sports industry faces relentless and evolving cyber '
'threats, including financial fraud, ransomware, and '
'third-party vulnerabilities. High-profile events like the '
'Olympics and World Cup are prime targets, requiring '
'robust cybersecurity measures to protect financial '
'transactions, sensitive data, and operational integrity.',
'motivation': ['Financial profit',
'Data theft',
'Disruption',
'Reputational damage',
'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Enhanced employee training',
'Third-party risk '
'assessments',
'Incident response plan '
'testing',
'Advanced threat detection '
'deployment'],
'root_causes': ['Phishing attacks',
'Third-party vulnerabilities',
'Unpatched systems',
'Lack of multi-factor '
'authentication']},
'ransomware': {'data_encryption': ['Yes (Manchester United, San Francisco '
'49ers, ASVEL, KNVB)'],
'data_exfiltration': ['Yes (Houston Rockets, ASVEL, KNVB)'],
'ransom_paid': ['No (Manchester United)',
'Compensated victims (San Francisco 49ers)'],
'ransomware_strain': ['Babuk (Houston Rockets)',
'NoEscape (ASVEL)',
'LockBit (KNVB)']},
'recommendations': ['Implement multi-factor authentication (MFA) for '
'financial transactions and sensitive systems.',
'Conduct regular cybersecurity training for employees to '
'recognize phishing and BEC scams.',
'Enhance third-party risk management to mitigate supply '
'chain attacks.',
'Deploy advanced threat detection and response systems to '
'identify and contain ransomware attacks.',
'Develop and test incident response plans to minimize '
'downtime and data loss.',
'Monitor dark web marketplaces for stolen data to prevent '
'identity theft and fraud.'],
'references': [{'source': 'UK National Cyber Security Centre (NCSC) Report'},
{'source': '2018 Winter Olympics Cyberattack Analysis'},
{'source': 'WADA Data Breach (2016)'}],
'response': {'containment_measures': ['Systems taken offline (Manchester '
'United)',
'Wi-Fi and telecasts disabled (2018 '
'Olympics)'],
'incident_response_plan_activated': ['Manchester United (engaged '
'experts and law '
'enforcement)',
'San Francisco 49ers '
'(compensated victims)'],
'law_enforcement_notified': ['Manchester United',
'San Francisco 49ers'],
'recovery_measures': ['Regained control of YouTube channel (Boca '
'Juniors)'],
'remediation_measures': ['Data recovery (2018 Olympics)',
'Compensation for victims (San '
'Francisco 49ers)'],
'third_party_assistance': ['Manchester United (cybersecurity '
'experts)',
'NBA (external mail service provider '
'investigation)']},
'threat_actor': ['APT groups Sandworm',
'Fancy Bear',
'Babuk ransomware gang',
'NoEscape ransomware',
'LockBit ransomware',
'Scammers'],
'title': 'Cyberattacks in Sports: A Growing Threat to High-Profile '
'Organizations',
'type': ['Business Email Compromise (BEC)',
'Ransomware',
'Malware',
'Data Breach',
'Third-Party Breach',
'YouTube Hijacking'],
'vulnerability_exploited': ['Fake Office 365 login pages',
'Third-party mail service provider',
'Network-connected systems',
'Unpatched systems']}