The National Cyber Security Centre (NCSC) has published a report on the increasing cyber threat to the sports industry.
The report is based on the findings of NCSC’s Ipsos MORI survey, which consisted of telephone surveys with 57 organisations, including sporting bodies and specific clubs from sports such as football, rugby, tennis, cricket and athletics.
Due to the financial power of the industry (which contributes over £37 billion to the UK economy each year), it is clear that it has become a high-value target for cyber criminals with a financial motive. Key findings from the report include:
- At least 70% of sports organisations have experienced a cyber incident or breach – more than double the 32% average for UK businesses.
- 30% of organisations recorded over 5 incidents in the last 12 months.
- Approximately 30% of these incidents caused direct financial damage, averaging £10,000 per incident.
- The biggest single loss was over £4 million.
The NCSC also set out 3 trends which have been identified in cyber incidents affecting sports organisations:
- Business Email Compromise (BEC)
BEC involves fraudulent payments or data theft being engineered as a result of attackers gaining access to official business email addresses as a result of “spear phishing”. Spear phishing includes targeted phone calls and spoofed emails which make messages more persuasive and realistic – it is the biggest cyber threat to the sports industry.
Example: The Managing Director of a Premier League football club fell victim to a spear phishing attack after clicking on an email link and being directed to a spoofed Office 365 page, where he entered his credentials. During the transfer window, the football club agreed a transfer worth almost £1 million and the attackers monitoring the account impersonated the parties, changing the bank details for the payment. The transaction was approved by the club, but the bank fortunately refused the payment due to fraud markers being raised on the cyber criminals’ account.
- Cyber-Enabled Fraud
This is fraud which is facilitated by cyber technology. It involves the receipt of fraudulent emails, text messages or phone calls, directing staff to fraudulent or fake websites.
Example: A staff member at a UK Racecourse wanted to purchase an item of grounds keeping equipment for sale on eBay for £15,000. The staff member was diverted to a spoofed version of eBay via an eBay message from the seller, where the staff member completed the purchase via bank transfer. The payment could not be recovered once the fraud was discovered, resulting in significant financial loss for the Racecourse.
- Ransomware
This is a type of malware which prevents access to a computer, or to the data stored on a computer. The impact of ransomware has increased over recent years across all organisations (for example, the Wannacry attack on the NHS in 2017), with attackers analysing networks to ensure maximum impact on the victim organisation.
Example: An English Football League club suffered a ransomware attack which crippled its systems. The attackers demanded a 400-bitcoin ransom which the club declined, resulting in the club’s end user data being encrypted and the loss of locally stored data. The stadium CCTV and turnstiles were also non-operational, almost resulting in a fixture cancellation. The attack cost the club several hundred thousand pounds from lost income and remediation.
What should you do?
As the industry recovers following the coronavirus pandemic, the NCSC is urging all sports organisations – from local clubs to national federations – to read the report and follow its advice. Organisations are advised to put cyber security on the agenda at board level to make sure that it is being actively monitored and prioritised.
The NCSC also suggests that organisations should prepare for the most common types of cyber attack by putting plans in place to deal with threats as they arise. Multi-Factor Authentication should be introduced to guard against BEC attacks, software should be patched and kept up to date, and important files should be backed-up to prevent loss of data (remember – loss or breach of personal data may also incur liability under the GDPR).
Staff training is also key, to ensure that all members of an organisation understand the importance of cyber security and are well-equipped to guard against cyberattack.
Finally, it is not only your own organisation’s cyber-security which should be reviewed. Many sports organisations have service contracts with third parties who host and facilitate e-commerce and other online platforms on its behalf. It is essential that your organisation ensures that its contracts and relationships with its partners are equally robust on cyber-security and everyone is aware of their obligations and the standards which must be met.
If you have any questions or need any support or training in relation to cyber security, please do not hesitate to contact our specialist Data Protection Team or a member of our Sports sector.
