CyberWatch

Cybersecurity's New Playing Field: Why Sports Organizations Draw Hackers

By

Shaun Waterman, Contributing Writer

By

Access Point Consulting

If hackers follow the Willie Sutton rule — going where the money/data/geopolitical leverage is, then professional sports organizations, or PSOs, represent a kind of perfect storm of motivation.

Hackers Follow the Money—and the Data

Financially motivated hackers have hit major sports teams with ransomware attacks and attempted to compromise their fans’ credit card data. Politically motivated ones have hacked live sporting events. Cyber attacks attributed to foreign governments have even leaked athletes’ drug test data from international sporting events, apparently to advance geopolitical aims.

The Digital Transformation of Sports

Over the past decade, PSOs, like other enterprises, have undergone a digital transformation — moving their operations online and to the cloud. From scoring and judging systems to digital display, retail sales and the streaming/broadcast of games, PSOs are incorporating new forms of internet connectivity, improving productivity and efficiency, but opening a broader attack surface for hackers, online criminals and cyberspies.

Cyber Attack Statistics in Sports

A 2020 report, by the UK government’s National Cyber Security Center (NCSC), The Cyber Threat to Sports Organisations: Ensuring Fair Play Online, found that 70 percent of sports organizations in the UK had experienced at least one incident of harmful cyber activity, more than double the (32 percent) rate across businesses as a whole.

Raising Cybersecurity Awareness

But those risks for PSOs also represent an opportunity, argues Betsy Cooper, founding Director of the Aspen Tech Policy Hub, who points out that getting ordinary people to care about cybersecurity — their own and that of the nation more broadly — is something of a holy grail for cyber policy types.

“Sports is an area in which we can bring cybersecurity to the common people, because almost everybody cares about what happens in their sporting events,” Cooper told CyberWatch.

The Hawk-Eye Vulnerability

She said raising questions about the security of sports technology — whether hackers could shut down the ticketing systems at a large venue; or even alter the outcome of a tennis match by hacking the technology used to determine whether a ball was in or out, was a way to put cybersecurity issues front and center for ordinary Americans.

“This is a way to make the effects of cyberattacks visible to ordinary people,” she said.

Cooper acknowledged that changing the outcome of a sporting event, like other kinds of information operations, was less likely to be successful, the more public attention was fixed on it.

“With so many eyeballs on the Super Bowl or on the U.S Open, I think that [hacking such an event] would be hard. … But I'm more concerned about smaller tennis tournaments. There are large bets being placed on the outcome of the 150th and 250th [ranked] players in the world playing each other.”

Tennis, like many other sports, including the NFL, NBA and MLS uses ball-tracking technology from vendor Hawk-Eye to determine whether a ball landed inside or outside the line.

But uniquely in tennis, Cooper said, Hawk-Eye had the final say. Unlike the way it was used in other sports, in tennis, the Sony-owned technology could not be overruled by a human

“If Hawk-Eye says the ball’s out, it's out,” explained Cooper, no matter what the audience saw. Hacking the system, which combines images from 10 or more cameras around the tennis court using proprietary software, so that it called one player’s shots out more frequently, “would be one way that a gambler, for instance, or just a huge fan of a particular athlete could try to influence the outcome of the game,” she said.

Jake Moore, Global Cybersecurity Advisor for Eset, the cybersecurity firm that protects Hawk-Eye’s technology told CyberWatch they “remain committed to staying ahead of the game by continually improving our solutions.”

“As cybercriminals don’t play by the rules,” Moore added, “Hawk-Eye relies on our robust cybersecurity measures to ensure the integrity and defense of its data and operations.”

Compartmentalizing Systems for Safety

Trying to change the outcome of a sporting event would be one of the most ambitious kinds of hack against a PSO, but they are subject to the full range of cyberattacks, the UK government report found. NCSC cataloged cyberattacks ranging from phishing and credential stuffing to business email compromise attempts and said they came mostly from low-level, financially motivated hackers.

“There are different layers,” of technology that could be attacked, Cooper said, going outwards from the event itself, through the ticketing and access control technologies, digital display and live-streaming devices all the way out to the team’s web presence.

“You have to compartmentalize,” she said, recommending that, at least for large, sophisticated organizations, “There is no reason why your ticketing systems need to be linked to your scoreboard systems, need to be linked to your athlete data systems.”

Smaller, less well-resourced PSOs might need to bring all their systems together so they could be protected by a single security vendor, she said, “But if you're a sophisticated sporting organization that has the flexibility to build out multiple systems, I recommend compartmentalization.”

One Size Doesn't Fit All

Her observation highlights one of the characteristics of sports organizations: Their incredible variability.

They run the gamut, Cooper pointed out, “from the Olympics to my local youth sports team in Napa.” But even the smallest PSO will have data on its players, and maybe fans too, “Everyone needs to be thinking about, do you need this data? Does it need to be stored online? And if so, what precautions can you put into place to try to make sure that that stays safe?”

The Cybersecurity Maturity Gap

But a report last year from UK consultants NCC Group, The Hidden Opponent: Cyber Threats in Sport, found a surprisingly low level of cybersecurity maturity in British sporting organizations.

Few had a Chief Information Security Officer, and in most organizations the IT staff were responsible for cybersecurity “but with very limited financial resources available.”

One IT manager for an unnamed professional soccer team told researchers that the multi-million-pound enterprise had two sides: “You have the playing side which is a big business and then you have a [small business] on the other side running IT with limited staff and budget.”

The report also noted that, despite the willingness expressed by many PSOs to share threat and attack information, there was no formal forum for such exchanges in the UK.

Collaborating to Defend

Although Cooper said she was aware of informal exchanges between the CISOs of major PSOs in the U.S., there was no Information Sharing and Analysis Council or ISAC, for the sector. The 16 business sectors designated by the federal government as critical infrastructure all have ISACs — as do other industries like space and auto manufacturers.

It was a gap, she said.

“The more different organizations are sharing about what they've prevented, what they've seen in the way of attacks, the better able everyone is to defend themselves.”

Resources

Trending Articles & Security Reports

Resources

CyberWatch

October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more
October 3, 2024

Vulnerability in SolarWinds Managed File Transfer Server Actively Exploited

CVE-2024-28995 SolarWinds has issued a critical update for a zero-day vulnerability in its Serv-U MFT Server, allowing attackers to bypass security and access restricted files without authentication. Actively exploited, this flaw poses a significant risk for businesses that delay applying the fix.

Find out more
October 1, 2024

Critical Container Flaw Could Impact NVIDIA AI Services

On September 25th, NVIDIA issued a security advisory regarding a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit. This Time-of-Check Time-of-Use (TOCTOU) flaw allows a specially crafted container image to access the host file system. The vulnerability impacts most AI applications in both cloud and on-prem environments using NVIDIA GPUs.

Find out more