Football is a business driven by data. Data analytics facilitate player and game analysis, social media provides a platform for modern marketing and profile-building, ticket sales are made online, and technology underpins key stadium infrastructure. Football is very much in the digital space: a big data business that faces some big data problems.
At the same time that football has embraced the digital space, the sporting industry has become a target for a range of adverse groups, from nation-states to cybercriminals and hacktivists. Sport-related entities are now operating in an environment where they can be targeted not only for financial gain, but also for more personal attacks, such as attempts to discredit players or national teams.
Medical and training records are assets commonly recognised as being sensitive, and the extent of their sensitivity became apparent late last year. The 2016 to 2018 cyber attacks by the Russian hacking group commonly referred to as Fancy Bear provided access to athletes’ medical records, and the hacking group used these to paint a picture of individuals and teams allegedly stretching the rules for certain drugs. The reality of the drug usage was largely irrelevant; the attackers wanted to raise an air of suspicion, and they succeeded. Clubs need to be aware that when data leaks, context can’t be controlled, and the press doesn't always frame information that could be placed in a negative light impartially.
Player analytics and team statistics are another area where data assets have taken on significant importance in football. Virtually all Premiership teams use the detailed analytics provided by sport-focused digital tools to analyse themselves, and their opponents. What happens if a malicious party is able to alter that data, either influencing how a team handles its players, or how the players approach an opponent on the field? Savvy attackers could find benefit in sabotaging a team’s plans and then placing a few strategic bets. For examples on this, please see our previous article on dark web match-fixing. When a club is relying on systems to guide strategy, they need to know that they can trust those systems.
Clubs value data pertaining to staff, ticket holders, online customers, and any other individuals with whom it interacts. But attackers are also interested: there is money to be made in identity theft and fraud. Personal data and financial data are the key to a successful identity theft, and clubs hold a significant amount of this data.
Finally, there are the clubs themselves. Attackers are becoming much more aware of the capability to hijack the control systems that manage everything from air conditioning in the boxes and lighting the pitch to ticket scanning. Whether the intention is to cause disruption and embarrassment or to extort funds from a team by holding their match to ransom, attackers are likely to increasingly pay attention to these lower-level control systems.
So how should clubs address these issues? Good cyber security practice needs to be dynamic and holistic. Clubs need to not only take measures to improve security but also establish procedures and staff to respond to varying crises when they arise. Clubs should undertake an end-to-end approach that builds - an understanding of the relevant threats, identifying the gaps in controls to address those threats, implementing absent controls, and then maintaining control on an ongoing basis to keep the club secure.
With a rise in the number of attacks against the sporting industry, which are becoming increasingly sophisticated, football clubs should invest in resources that can dynamically address new attacks and attackers. The MDR ‘Cyber Threats to the FIFA 2018 World Cup in Russia’ report highlighted cyber-security risks to that tournament: match-fixing, social engineering to defraud fans travelling to matches and hacktivist groups seeking to disrupt an event by any digital means. Those risks are equally relevant to future football matches, and should be considered by all officials, players, and fans.