For Cybercriminals, the Football Game’s On and They’re Playing to Win

Our fascination (and for many, obsession) with sports is based on the inspiring skill, physical strength, teamwork, and speed that top-tier athletes bring to their games. And of course, the fierce competitiveness that is particularly typical of football (aka soccer) clubs in European and worldwide.

Top football clubs are multi-billion euro businesses that have as much in common with global entertainment industry players as they do with the clubs of just a few decades ago. Star players are paid millions of euros, along with sponsorship deals and astronomical transfer fees, should they be traded. Media rights, licensing deals, and more sponsorships bring enormous sums into the clubs.

As for today’s most successful entertainment industry players, data and technology are integral to virtually every aspect of football clubs’ operations. Business managers, back-office staff, players, trainers, coaches, scouts, event managers, and others depend on applications to manage training routines, player line-ups and performance assessments, payroll, online ticket sales and myriad other functions. Many clubs operate their own facilities, depending on applications to manage stadium infrastructure such as turnstiles and CCTV, and for streaming games online.

Relevant users must all be able to access these apps and the data they use securely, from wherever they are, in the office, at home, or on the road. The apps and data also must be securely protected from the many rabid fans, interested parties and criminal actors who would do virtually anything to get hold of the sensitive information held by the clubs.

Professional football club operations are often digitally integrated with a host of 3rd party service providers — training consultants, lawyers, agents, tax advisors, health service providers, licensing organisations, broadcasters and many more. Security best practices dictate that their access be limited to only what’s needed and relevant for each one, and no more.

Football Clubs in the Crosshairs

As high-profile businesses with budgets in the billions of euros and significant digital footprints, football clubs have a wealth of attractive, marketable data that can be quickly and easily monetised by cybercriminals. Information such as players’ medical, financial and performance data, sponsorship deals, and fans’ credit card details are all worth a good deal on the black market, and probably even more — in ransom — to the club that wants to keep them from being exposed.

Likewise, a cyberattack that disrupts their app-managed functions — training, player assessments, payroll, online ticket sales, travel booking, facility operations, license management and much more — could cost the clubs dearly in lost revenue and fan loyalty.

Finally, football clubs are particularly vulnerable to attacks during periods such as transfer windows. Knowing that large sums will be changing hands, savvy cybercriminals may attempt to hack into the management email accounts where negotiations play out and fraudulently get a piece of the pie.

These dangers are far from theoretical. Recent high-profile attacks on football clubs include, among many more,

• A 2020 attack on Manchester United, initiated with a user’s click on a phishing email, that shuttered their email systems and mobile apps, and may have exposed scouting data.
• A 2018 business email compromise (BEC) attack in which criminals stole €1.6 million by hacking the email account of a Florentina Italian Serie A football club official and intercepting rights payments from a streaming platform that broadcast Florentina games.
• Personal information of West Ham English Premier League football club supporters was accidentally exposed to other fans who were attempting to log into their own accounts on the club website. While the leak was the result of an application security vulnerability — mostly likely, a configuration error — rather than a breach, the damage was done.

The Most Dangerous Threats

Most attacks on football clubs and other sport organisations are criminal in nature, motivated by financial gain. While some actions have been carried out by nation-state actors in recent years, they are usually limited to high-profile, politically sensitive international events such as the attacks on the 2018 Winter Olympics in Pyongyang.

Despite the fact that most attacks focus on financial fraud, organisations have been directing the lion’s share of their efforts to personal data protection, driven by GDPR compliance requirements. This prioritization of compliance risk is reflected by the sports organisations’ responses in the recent The Cyber Threat to Sports Organisations report, based on a survey commissioned by the UK National Cyber Security Centre (NCSC). 53% of respondents cited personal data protection as their main driver for reducing cyberattacks, while only 2% mentioned preventing fraud or theft.

What Makes Football Clubs So Vulnerable?

According to the NCSC report, 70% of Britain’s sports organisations suffered a cyber incident during the 12-month period it covered, more than twice the average for other businesses. Almost 1/3 of those incidents resulted in financial damage, with costs averaging over €11,000 per incident and ranging up to ten times that sum.

While the public profiles of football clubs might explain why they are frequently targeted, it does not account for breach success rates. This is especially true given that the attack methods used are, for the most part, fairly standard. 75% of the surveyed organisations reported receiving fraudulent emails, text messages or phone calls, and 61% reported that employees were directed to fraudulent websites. These activities are often the first steps in BEC attacks, which represents the most prevalent threat to sports organisations. They are also common channels for executing cyber-enabled fraud and delivering ransomware, the second and third most dominant types of cyberattacks in the sector.

According to the NCSC, poor security control implementation, weak password policies, unpatched software and human error are common in sports organisations. A cybersecurity audit of “three of the richest football leagues in Europe” conducted by SecureScorecard cited similarly disappointing findings: The most common security issues included weak encryption, web application issues, patching issues and susceptibility to email spoofing.

Revealingly, the audit found an inverse relationship between clubs’ football success and their success in managing digital exposure and risk. Here’s why they think that is so: In professional football clubs, cybersecurity is most often managed by general IT or security teams rather than cybersecurity specialists, and cybersecurity decisions are made at the board level.

Executives with the greatest expertise in building and maintaining winning football clubs are unlikely to have deep expertise in building and maintaining strong cyber defences and even less likely to give it the time and attention it needs. Without knowledgeable leadership, clubs may neglect to implement even basic security measures like multi-factor authentication and prompt patching.

Zero Trust Cloud-Based Security for the Win

For complex organisations like football clubs, cloud-based Zero Trust secure access service edge (SASE) platforms provide a flexible, easy-to-manage solution for securing sensitive data and apps from attack and exposure, while simplifying access to the resources that internal users as well as 3rd party consultants need.

Ericom Software’s ZTEdge platform is based on web isolation, sophisticated technology that airgaps user browsers, internal systems, and cloud apps from the dangers of the web and from over-privileged access.

Phishing and BEC-enabled credential theft are the first steps of many cyberattacks. ZTEdge Web Isolation opens unknown sites in read-only mode, preventing unsuspecting users from entering credentials in seamlessly spoofed sites.

To protect endpoints from malicious website content, malvertising and steganographic attacks, all website code is isolated in cloud-based containers: Safe rendering data streamed to users’ regular browsers enables full interaction with websites, with a user experience is indistinguishable from non-isolated browsing. Attached files undergo content disarm and reconstruction (CDR) within the isolated container before being downloaded to the user’s device with native functionality intact.

ZTEdge Web Application Isolation (WAI) protects club websites and apps, cloaking attack surfaces from the view of hackers seeking to scope out open ports or vulnerabilities. For employees and 3rd party contractors using unmanaged devices, WAI enforces granular app and data access controls without requiring any software to be installed. WAI also protects SaaS apps and collaboration sites like Microsoft Teams and the data they contain by enabling login only via the club’s IP address on the ZTEdge Global Cloud, and by applying granular user controls on data sharing activities.

It’s Time to Focus on Your Club’s Cyber Defence Plays

For cybersecurity, as for football, an effective defence strategy must be effective, comprehensive, and simple to execute. Contact Ericom today to learn how ZTEdge solutions can deliver on your cyber defence mission.

---

Share this on:

---

About Gerry Grealish

Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.