The U.K.’s National Cyber Security Centre (NCSC) warned about the increasing cyber risks like phishing, ransomware attacks, and Business Email Compromise (BEC) schemes targeting football clubs, teams, and sports authorities. In its report “The Cyber Threat to Sports Organizations” NCSC revealed that around 70% of sports organizations suffered a breach or a security incident and 30% reported over 5 incidents in the last 12 months that caused a financial damage of £10,000 (US$ 12,700), with the biggest single loss of over £4 million (US$ 5,100,000).
BEC Fraud on Sports Club
The report highlighted two BEC fraud attempts that targeted a Premier League football club and a U.K. sporting body through spoofed Office 365 accounts.
- The Managing Director of the football club fell victim to a spear-phishing attack that compromised his email login credentials. “During a transfer negotiation with an overseas football team the email address of the managing director of a Premier League club was hacked by cybercriminals. Only a late intervention from the bank prevented the club from losing almost £1 million (US$ 1.27 million),” NCSC explained.
- In the case of the sporting body, threat actors compromised employees’ email accounts and set up auto-forwarding rules to external email accounts and re-routed almost 10,000 emails that contained sensitive data of more than 100 individuals.
Ransomware Attack
The report also highlighted that 40% of cyberattacks on sports organizations involved malware infection and 25% of them involved ransomware. According to NCSC, threat actors compromised corporate systems of an English Football League (EFL) club in a ransomware attack and asked to pay a 400-bitcoin ransom (approximately US$ 3,800,000). “The attack encrypted almost all the club’s end user devices, resulting in the loss of locally stored data. Several servers were also affected, leaving the club unable to use their corporate email. The stadium CCTV and turnstiles were non-operational, which almost resulted in a fixture cancellation,” the report said.
Paul Chichester, Director of Operations at the NCSC, said, “While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cybercriminals cashing in on this industry is very real. I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrimes.”