National Cyber Security Centre (“NCSC”) report highlights cyber risk to sports industry

United Kingdom

A recent NCSC report has highlighted a number of cyber-attacks by hackers against the sports industry, leading its Director of Operations, Paul Chichester, to urge sports organisations to review their cyber security measures.

Last month, the NCSC published its first report on cyber threats to the sports industry (an industry worth £37 billion a year to the UK economy), which appears to be particularly targeted by cyber criminals. The threats are clear and present: the report points out that at least 70% of sports organisations surveyed suffer at least one cyber incident every year. This is more than double the average for the general UK business community, which, according to the Department for Digital, Culture, Media & Sport’s annual breaches survey, is 32%. Around 30% of incidents were reported to have resulted in direct financial damage, with an average cost of over £10,000 per incident and the largest loss being more than £4 million.

By way of an example, the report highlights an incident whereby the managing director of a Premier League football club was targeted with a ‘spear phishing attack’ where his emails were hacked. The hackers attempted to subvert a £1 million payment being made as part of a transfer deal. The attempt was ultimately unsuccessful after the bank denied the payment due to the perpetrators having had a fraud marker placed against their bank account.

Sports organisations are of interest to perpetrators of cyber-attacks as they have a high public profile and significant financial power, hold a lot of sensitive personal data in their systems and regularly process a large number of financial transactions. Additionally, in line with the UK economy in general, the report notes that sports organisations rely heavily on digital technology, such as running online business systems with the ability to take payments online. Cyber-attacks can cause sports organisations to lose access to data or technology and result in data breaches, loss of funds, event disruption and loss of venue security, with financial gain being the primary motivation of cyber attackers.

Given the attractive nature and high profile of UK sports organisations, the NCSC not only highlights the risk but also provides tips to the industry for how to stop or lessen the impact of such cyber-attacks. The report aims to explain the cyber threat to sports organisations by illuminating the key security issues they face daily and the trends seen in the forms of cyber-attacks:

  • Business email compromise (“BEC”) – BEC is reportedly the biggest cyber threat facing sports organisations. In such a case, perpetrators gain access to business email accounts, which they use to carry out activities such as fraudulent payments and data theft. Such attacks often target senior individuals or those who have the authority to approve payments.
  • Cyber-enabled fraud – cyber technology can help enable crimes such as fraud. This can involve techniques such as email spoofing (where the perpetrator forges the sender email address in the header of the message to make the email appear genuine) and typo squatting (where the perpetrator creates a fake website that appears to be that of a real brand but has a subtle typo in the URL).
  • Ransomware attacks – attackers can use malware to stop organisations from being able to access their computer systems. Such attacks can have a significant impact on victims, who may not be able to access files and systems that are crucial to the operation of their business. Ransomware attacks can also have serious consequences for venue security.

The report noted that nearly all attacks involve tools and techniques that are easily accessible. The attacks exploit security controls that have not been properly implemented and predictable human behaviour. These attacks include:

  • Phishing – a form of social engineering used to deceive users so that they disclose information or click on a bad link. While such attacks may be random, they can also be targeted, with perpetrators using information about organisations or the employees themselves in order to appear convincing (‘spear phishing’).
  • Credential stuffing – the gaining of valid combinations of usernames and passwords from one site, through fraudulent means, which attackers take in the knowledge that users often have the same combination across their accounts and use to access such accounts on other sites.
  • Password spraying – the use of a small number of frequently used passwords in a ‘brute force attack’ against a large number of accounts, based on the assumption that at least some users will have used such passwords.

The report asks sports organisations to review the following key areas:

  • Email security – good email technical controls, such as anti-spoofing and multi-factor authentication, diminish the risk of cyber-attacks. Sports organisations often do not use such controls.
  • Staff empowerment – staff are instrumental in the fight against cyber-attacks; however, less than 50% of sports organisations train their staff about cyber security.
  • Cyber risk management – sports organisations should beware of a defensive approach to managing cyber risk that focuses too much on avoiding fines. Instead, they should take a holistic approach that seeks to do more than just comply with data protection legislation and regulation and instead evaluates cyber risks across the IT landscape of the organisation.

The challenges arising from data are countless and inescapable in our maturing technological landscape and exposure to cyber risks is increasing, both in terms of fines imposed and civil claims being brought. To future-proof your organisation, and unlock opportunity from your data, you need alert and experienced lawyers who will deliver practical advice. Our data privacy, protection and information security teams are on the ground in over 40 countries, speak the local language and understand the local laws – but crucially in a global context.

Click here to read the full NCSC report, along with the actions checklist for both board level and IT practitioners. Should your organisation wish to review and/or strengthen its cyber or data security or become subject to a cyber or data security attack, contact CMS for further information and expert advice.