The British government agency National Cyber Security Center warns the British sports sector against cybercrime. At least 70 percent of all British sports facilities would experience a ‘cyber incident’ every year, more than double that of all British companies.
According to the NCSC report, more than 4.3 million euros was recovered from the largest incident, although it does not provide any further details about that incident. The NCSC does write about a transfer in the Premier League, in which the e-mail account of a club director was broken into. The CEO clicked on a link in a phishing email, which sent him to a fake Office 365 login page. Here he filled in his login details. The criminals were then able to intercept the mail traffic and adjust payment details in the mails, so that the director transferred the converted amount of 1.1 million euros to the criminals. However, the payment was intercepted by the bank, because the criminals’ account had already received a fraud report at the bank. Only then did the two clubs find out about the fraud.
In another incident, a football club’s computers were infected with ransomware, causing the club’s turnstiles and cameras to stop working. This almost meant that a football match had to be abandoned. In this attack, the criminals asked for 400 bitcoin. All computer systems at this club were connected to the same network, allowing the virus to quickly infect all systems. The attack cost the club hundreds of thousands of euros.
Cyber criminals also use rogue eBay sites, according to the NCSC, in which an employee of a British racecourse thought he was buying a green management device. The conversation went through the legit eBay site and both parties agreed to make payment through the platform. However, the seller forwarded a link that led to a fake version of eBay. The seller transferred 16,474 euros converted via this platform. Only later did the employee realize that the transaction was malicious, when the money could not be refunded.
The NCSC states that about 30 percent of all cybercrime incidents in the sports sector lead to financial damage. On average, this amounts to 10,980 euros per incident. The center does emphasize that these costs vary greatly, from 549 euros to more than 109,868 euros.
In general, according to the center, the chances of the attacks being carried out by state hackers are small. There have been a few ‘highly targeted’ incidents in which a country did coordinate a cyber attack against a sports organization, such as the Russian GRU against the World Anti-Doping Agency in August 2016. Then GRU stole confidential medical documents from WADA, which were then released to the public. were leaked.
The government body is urging British sports organizations to better ensure their cyber security. The organization emphasizes the importance of backups, investigating security holes and better explaining to employees where these security holes may be. The NCSC also recommends the use of mfa and more complicated passwords.