The Need for Digital Defense: Cyber Threats to Sports Organizations
Photo Source: Richard Patterson, Cyber Security Red, Flickr (Jun. 7, 2018) (CC BY 2.0)
By Justin W. Bogle* Posted: 04/12/2021
As demonstrated in the last year, technology has become enmeshed with people’s daily lives to a previously unthinkable degree. Unfortunately, this tight bond has enabled an explosion of cyber-attacks at every level of society. As a recent report by the British government’s National Cyber Security Centre (NCSC) makes abundantly clear, the world of sports has not escaped this dangerous trend. While the phrase “cyber-attacks” appears monolithic, there are many different, but related, types of cyber threats an organization can face. Bad actors have utilized these techniques to attack sports groups around the world, often in search of financial or personal information. Thankfully, sports organizations can mitigate these risks, so long as they follow relatively simple step to protect themselves.
“Cyber-Attacks” Broken Down
While there are a number of ways to mount cyber-attacks, the NCSC recently identified three main types that have been used against sports organizations: Business Email Compromise (BEC), cyber-enabled fraud, and ransomware. BEC, which according the NCSC is the largest threat, is the practice of attempting to obtain fraudulent access to email and other accounts. Bad actors attempt to gain access to senior level employees’ email accounts through techniques such as “spear phishing” or sending emails, text messages, and other messages to trick employees into giving up confidential information. These attacks facilitate fraudulent access, often so bad actors can access financial data. Recently, this practice has grown easier, as more organizations move to software-as-a-service (SaaS) options, such as Office 365, that allows access to multiple platforms with one sign-on. The second major type of cyber-attack is cyber fraud, where attackers attempt to trick users into utilizing fake websites or responding to fraudulent emails to gain access to confidential systems. Finally, the third primary method of attack identified by the NCSC comes from ransomware. Unlike the earlier two types of cyber-attacks, where bad actors are seeking to gain access to systems unnoticed, ransomware attacks lock out rightful users from their systems until the bad actors are paid, hence the name. The unfortunate reality is that about 70% of British sports organizations have experienced at least one of these kinds of cyber-attacks.
A Bruising Series of Hits
Unfortunately for the sporting world, there have been a series of cyber-attacks at different levels over the past few years. In early 2016, the Milwaukee Bucks announced that they had been the subject of a cyber-attack. A team staffer received what he thought was an email from the team president and sent along sensitive employee financial information, including names, addresses, and social security numbers. Furthermore, in the summer of the same year, a Russian-backed hacker group known as “Fancy Bear” attacked the World Anti-Doping Agency (WADA). The group managed to gain access to WADA’s systems through a spear phishing attack and leaked athletes’ personal information onto the internet. In 2020, the popular British football team Manchester United was the victim of a cyber-attack. While the team has not provided clear details on exactly what happened, they were reportedly locked out of their internal systems, potentially due to a ransomware attack. This is not a one-time issue, or something that can be ignored, but rather an ongoing threat that the sports world needs to adjust to.
How to Play Defense
While this threat is real and serious, organizations are not without tools to better protect themselves. A simple, but key, measure would be to institute multi-factor authentication (MFA) for login credentials. MFA is the practice of requiring a user to enter secondary information after their password, such as a randomly generated code, before they can access their account. Such extra steps may be burdensome on the average user but can protect otherwise vulnerable systems from common attacks. To protect against cyber-enabled fraud, the NCSC recommends both training employees to spot and avoid suspicious emails and utilizing more technical methods to make it more difficult for suspicious emails to be sent or received. To defend against ransomware, organizations will need to utilize more technical resources. Updated security software, regular system backups, and segregated systems are necessary to make sure that any potential damage is as limited as possible. Ultimately, this threat is unlikely to subside, so the best strategy for athletic organizations to overcome potential threats in this digital age is a strong defense.
*Staff Writer, Jeffrey S. Moorad Sports Law Journal, J.D. Candidate, May 2022, Villanova University Charles Widger School of L
 See Chuck Brooks, Alarming Cybersecurity Stats: What You Need To Know For 2021, Forbes (Mar. 2, 2021) https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats-------what-you-need-to-know-for-2021/?sh=3684729558d3 (noting steep rise in cyberattacks partially due to increased technological integration).
 See id. (referencing various cybercrime victims including governments, corporations, and regular people).
 See The Cyber Threat to Sports Organisations, Nat’l Cyber Security Centre, https://www.ncsc.gov.uk/files/Cyber-threat-to-sports-organisations.pdf (last visited Mar. 23, 2021) (highlighting cyber vulnerabilities in world of sports).
 See Jon Bartley, et al., Cyber Threats To Sports Organisations (And Key Steps To Reduce Exposure), Law in Sport (Oct. 8, 2020) https://www.lawinsport.com/topics/item/cyber-threats-to-sports-organisations-and-key-steps-to-reduce-exposure (detailing various common cyberthreats).
 See generally Sean Lyngaas¸ Manchester United attack illuminates the cyberthreats facing an overlooked sports sector, Cyber Scoop (Dec. 1, 2020) https://www.cyberscoop.com/manchester-united-hack-ransom-cyberattack/ (explaining recent cyber security breach at Manchester United); Steve Ragan, Milwaukee Bucks hit by W-2 Phishing attack, csoonline.com (May 23, 2016) https://www.csoonline.com/article/3073458/milwaukee-bucks-hit-by-w-2-phishing-attack.html (explaining cyber-attack on Milwaukee Bucks); The World Anti-Doping Agency (WADA) Confirms Attack By Russian Cyber Espionage Group, Law in Sport (Sept. 13, 2016) (hereinafter WADA Confirms), https://www.lawinsport.com/topics/news/item/wada-confirms-attack-by-russian-cyber-espionage-group (describing Russian cyber-attack on World Anti-Doping Agency).
 See Matt McLaughlin, Sports Face Off Against Cybersecurity Threats, Biztech Magazine (Nov. 8, 2018) https://biztechmagazine.com/article/2018/11/sports-face-against-cybersecurity-threats (suggesting how sports organizations can better protect themselves).
 See Clare O’Gara, What Is the Cyber Threat to Sports?, Secure World (July 24, 2020), https://www.secureworldexpo.com/industry-news/cyber-threat-to-sports (listing major cyberattack types).
 See The Cyber Threat to Sports Organisations, supra note 3, at 11 (explaining how organizations can be compromised through BEC).
 See Nena Giandomenico, What is Spear-phishing? Defining and Differentiating Spear-phishing from Phishing, Data Insider (Dec. 1, 2020), https://digitalguardian.com/blog/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing (defining spear-phising).
 See id. (explaining reasoning and purpose of BEC attacks);
 See The Cyber Threat to Sports Organisations, supra note 3, at 11 (explaining new dangers from BEC attacks).
 See id. at 14 (defining cyber fraud and providing examples).
 See id. at 17 (explaining ransomware).
 See id. (defining ransomware practices).
 See id. at 8 (contextualizing scale of problem).
 See McLaughlin, supra note 6 (listing variety of different cyber-attacks).
 See Ragan, supra note 5 (explaining cyberattack against team).
 See id. (describing how team was breached).
 See WADA Confirms, supra note 5 (blaming Russia for recent cyber-attack).
 See id. (describing effects of attack).
 See Tara Seals, Manchester United: IT Systems Disrupted in Cyberattack, Threat Post (Nov. 23, 2020), https://threatpost.com/manchester-united-disrupted-cyberattack/161488/ (noting breach).
 See id. (explaining details of attack).
 See The Cyber Threat to Sports Organisations, supra note 3, at 8 (noting widespread nature of threat).
 See O’Gara, supra note 7 (providing steps organizations can take to better defend themselves from cyber risks).
 See The Cyber Threat to Sports Organisations, supra note 3, at 11 (recommending use of MFA).
 See What is Multi-Factor Authentication (MFA)?, One Login, https://www.onelogin.com/learn/what-is-mfa (last visited Mar. 25, 2021) (defining MFA and explaining its benefits)
 See id. (providing benefits of MFA).
 See The Cyber Threat to Sports Organisations, supra note 3, at 16 (explaining how to combat cyber-enabled fraud).
 See id. at 19 (providing examples of how to defend from ransomware).
 See id. (highlighting proper preventative precautions).