English football club Manchester United have admitted that they were targeted by a "sophisticated operation by organised cyber criminals" that resulted in minor disruption to their IT services.
Manchester United announced the attack via a club statement published on Friday, stating that the attack caused an IT disruption but they acted quickly to isolate the affected systems and ensure that critical systems required for matches to take place at Old Trafford remained secure and operational.
"Manchester United can confirm that the club has experienced a cyber attack on our systems. The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimise the ongoing IT disruption," the club statement read.
"Although this is a sophisticated operation by organised cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.
"Club media channels, including our website and app, are unaffected and we are not currently aware of any breach of personal data associated with our fans and customers. All critical systems required for matches to take place at Old Trafford remain secure and operational and tomorrow’s game against West Bromwich Albion will go ahead."
The fact that hackers chose to target a prestigious football club like Manchester United may not surprise anyone, especially because according to the National Cyber Security Centre, hackers are carrying out a range of attacks to defraud sports organisations to make quick money. In fact, at least 70% of sports organisations have suffered a cyber incident every 12 months, more than double the average for UK businesses.
The fact that cyber criminals are actively targeting sports organisations may not come as a surprise- considering that sport contributes over £37 billion to the UK economy each year, employs hundreds of thousands of people, oversees a large number of high-value transactions every day, and is heavily reliant on digital technology.
According to NCSC, a vast majority of sports organisations in the UK are storing the personal information of employees, customers and beneficiaries electronically, have internal online business systems, carry out online transactions, use online sharing platforms, and provide customers with the ability to order, book, or pay for services online. These capabilities leave sports companies, that do not have watertight security protocols, wide open to various cyber threats.
NCSC found that around a third of cyber incidents suffered by sports organisations in the UK resulted in direct financial damage of up to £100,000 per incident, with the financial damage per incident averaging more than £10,000. Most of the cyber attacks aimed at these companies are not sophisticated and involve hackers using phishing, password spraying, and credential stuffing tactics to defraud their victims.
Commenting on Manchester United's quick response to the cyber attack, Stuart Reed, UK Director at Orange Cyberdefense, said all data has value to cyber criminals, and in a business as lucrative as Premier League football it is not surprising that the activity of wealthy clubs has piqued the interest of cyber criminals.
"Unsurprisingly, Manchester United has stated that the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality. However, it is impossible to cover yourself against all threats in cyberspace, and that’s why a layered approach covering people, process and technology is essential to help minimise the risks," he said.
According to Sam Curry, chief security officer at Cybereason, all companies and organisations in the public and private sector should realise that they will be attacked at some point and suffer material loss from well funded hacking groups and/or motivated individuals looking to profit or make political statements off their brand by stealing data, encrypting their files and demanding ransom, and causing companies to be singled out in the headlines.
"But there are steps companies can take as defenders to reverse the adversary advantage and to start making cybercrime less profitable. First, companies need to improve their security hygiene and they need all employees to adhere to internal security guidelines and protocols.
"Secondly, companies need to deploy around the clock threat hunting capabilities. They also need to deploy newer anti-ransomware software and advanced detection and response software (XDR) in order to be able to detect in real time when malicious behaviour is occurring inside their network," he added.