Posted May 9, 2019
Sports organizations and franchises have security measures in place to protect their athletes on the field, but what are they doing to safeguard data and assets from cyber risks? As a lucrative industry valued at $80 billion in the US, the sports industry is a high-stakes game for cyber criminals to play. Sports organizations hold sensitive information like team game plans, athlete negotiation strategies, medical records, sponsorship deals, and payroll information. Potential access to these types of PII, as well as a lack of uniform security policies makes sports organizations a high-reward target to cyber criminals, hacktivists, and nation-state actors. Unlike many other industries, the sports organizations also hold high emotional value to fans, teams, and their cities.
With such a large fan base, an attack against a sports organization can be exploited for money and political reasons. As in many of our recent blogs, the same threat actors are in play targeting sports organizations as in other industries. LookingGlass research finds cyber criminals, hacktivists, and cyber terrorists targeting sports organizations but also see a larger threat from industry competitors and insiders.
In the past, the NBA’s Milwaukee Bucks were victims in a phishing attack that exposed player’s and employee’s W-2 and income information. An employee of the franchise released the team’s personal information to a cyber criminal from a scam email, a tactic that many organizations have faced. In this instance, a cyber criminal posed as the Buck’s president Peter Feigin, perpetrating the ever-popular business email compromise (BEC) scam. To make matters worse, the breach was not discovered for a month, allowing the criminals to use the information they acquired on the cyber criminal underground. BEC scams have been a constant cyber issue that continues to grow. Every employee must maintain skepticism with any email that look suspicious. Remember the Cybersecurity ABCs to avoid a BEC attack.
In April 2017, the International Association of Athletics Federations (IAAF) was targeted by hacktivist group FancyBear. The IAAF is an international governing body against doping in elite athletes—garnering serious media attention ahead of international sporting events. This particular attack by FancyBear targeted the Therapeutic Use Exemptions used by Olympic athletes, exposing confidential medical information to the world. The attack is believed to be retribution on the exposé of a mass Russian doping scheme spanning from the 2012 London Olympics to the 2014 Sochi Winter Games that caused all Russian athletes to be barred from the 2018 Winter Games. FancyBear is also linked to the Kremlin—combining the forces of a nation-state with the political motivations of a hacktivist group. Though it can be difficult to defend against these types of attacks, understanding their tactics, techniques, and procedures (TTPs) gets your organization one step ahead of hacktivists.
In it to Win it: Insider and Competitor Threat
Things can get heated when it comes to competing sports organizations and trading players—such fierce competition opens the window for insider and competitor threat . When trying to get a leg-up against another team, it makes perfect sense to target systems housing a team’s strategies and player information. A case of poor password hygiene by a traded MLB player allowed Cardinals’ scouting director Chris Correa access to the Astros’ “Ground Control”. Access to this system gave Correa insider knowledge on scouting assessments, player trade discussions, and other confidential information. Though this information was only used to get a leg-up in game play, it is still a form of espionage. The incident cost the Cardinals their two top draft picks of 2017, a $2 million fine, a lifetime ban, and 46 months in prison for Correa.
Getting a Leg Up
To address cybersecurity in sports organizations, the Information Sharing & Analysis Organizations (ISAOs) was founded in 2016 to address the growing number of security incidents in the industry. By monitoring and reporting on attacks, sports organizations are better able to understand TTPs of threat actors. The organization also runs security operations at large sporting events like the Olympics.
Sports organizations hold value in everything they stand for: fans, team owners, and players alike. They also hold massive monetary value, and as we know, Though the ISAO is introducing more standard operating procedures for cybersecurity in sports organizations, they will need to pay closer attention to the TTPs of threat actors targeting the industry. For more insights like these, contact us about our finished intelligence offering.