The world of professional sport faces a significant cyber-threat, due to the data teams hold and their high profile, writes James Hampshire
During this year’s Tour de France, the general manager of Team Sky stunned the world of cycling by alleging that unknown hackers had accessed reigning Tour champion Chris Froome’s performance data as part of a campaign to discredit him.
Although sensational, this was by no means the first time a professional sports team has been the victim of a data breach. In June 2015, the FBI announced it was investigating the St Louis Cardinals baseball team for allegedly hacking rivals the Houston Astros to steal performance data.
This recent spate of attacks and allegations comes as no surprise. A number of factors combine to make professional sports teams uniquely attractive to cyber-criminals.
It was the Oakland Athletics baseball team which brought data analytics into the professional sports mainstream, using big data to identify and recruit undervalued players, as featured in the book and film Moneyball. Today, professional sports teams collect, synthesize and analyze a huge range and volume of data around training, nutrition, performance and tactics to gain a competitive edge or squeeze greater performance from limited resources.
This data is of huge interest to the public and the media and has huge commercial value to teams, as well as their opponents.
Off the field, the commercial activities of sports teams are increasingly becoming more profitable than their sporting activities. For example, in 2013–14 Manchester United made £189m from commercial activities compared with £108m from gate and match-day income (the commercial figure excludes TV and broadcasting which brought in an additional £136m).
A Timeline of (Un)sporting Cyber-Attacks
- April 2012 – Formula One websites subjected to DDoS attacks by Anonymous in protest at the Bahrain Grand Prix
- November 2014 – English Rugby League team club website defaced by ISIS sympathisers
- February 2014 – FC Barcelona Twitter account hacked by the SEA
- June 2015 – FBI investigation into Major League Baseball hacking allegations revealed
- July 2015 – Team Sky alleges hackers stole performance data in an attempt to discredit Chris Froome
This commercial activity means that sports teams generate and hold significant volumes of sensitive corporate information. Hackers value information regarding business strategy; insight into large deals such as sponsorships and partnerships; and large volumes of personal and payment card data from online retail, ticketing sales and supporter programs, all of which can be leveraged and monetized.
The huge media profiles of major sports teams also increases their value as targets for malicious cyber-activity. These teams hold significant volumes of sensitive internal correspondence and confidential documentation. For example, there is huge interest in players’ salaries and contract negotiations, teams’ transfer plans and fees paid, and embarrassing or damaging internal correspondence. Such data would be highly embarrassing if made public, as it was for Rangers FC in Scotland when an email from the club chairman discussing the power struggle for the club was obtained by a protest group.
In addition, the high profile of major sports teams makes them attractive targets for disruptive attacks such as website defacements or social media hijacking. For example, when activist group the Syrian Electronic Army hijacked the FC Barcelona Twitter account it generated headline news around the world, greatly amplifying the impact and publicity of the attack and its message. Often these attacks will be unrelated to sports, with activists simply exploiting poorly-protected social media accounts and websites of high-profile organizations.
This combination of factors serves to present an almost unique cyber-threat to professional sports teams. Very few other sectors have such an array of different data of value to attackers, combined with high-profile websites and social media presence.
Unlike many other sectors, few sports teams employ CISOs or have holistic cyber-defense programs. Based on the emerging level of threat, this needs to change.
About the Author
James Hampshire is a senior consultant in Control Risks’ cybersecurity department. He works with clients to identify strengths and weaknesses in their cybersecurity and improve their level of defense. James joined Control Risks from the UK National Crime Agency, where he managed the National Cyber Crime Unit’s international engagement team, working closely with the UK's overseas law enforcement liaison network and foreign partners. He played a key role in designing and delivering cybersecurity for the London 2012 Olympics.