Football – soccer in the US – is a multi-billion pound industry, and especially so in the the UK’s Premier League. Players change clubs for tens of millions of pounds – so knowing who is watching which new emerging player is a distinct commercial advantage.
Some 75% of Premier League clubs use the services of Scout7 to maintain their private talent scouting information. Over the weekend, the People revealed that Manchester City, one of the UK’s richest football clubs, suspects its private reports have been compromised. “Manchester City’s shocking discovery that their worldwide scouting database could have been hacked by an employee of a rival Premier League club will rock football to its core,” wrote Steve Bates.
For its part, Scout7 has denied being hacked. “Scout7 is aware of the erroneous publicity about supposed hacking of a client of the Scout7 system,” it said in a statement reported by the Daily Mail. “The security or technical integrity of Scout7 systems has not been undermined by this incident. We understand that the incident is still being investigated but involves use of valid passwords obtained from the Club concerned to gain illegal access to a private database.”
According to Scout7, hacking isn’t hacking if it involves correct passwords incorrectly used. The implication is that the fault lies with either a Manchester City employee who lost his/her password; or a third party who stole that password. Either way, it further corroborates the argument for two-factor authentication rather than reliance on passwords alone.
It is understood that Manchester City has called in a security firm to investigate. Little is yet known beyond that Manchester City seems to be the only victim. This itself would imply either specific targeting against that particular club, or opportunism in getting hold of just one set of credentials. It does, however, demonstrate that it isn’t just defense industries and state secrets that are potential victims of cyber espionage.