A series of cyber attacks and social engineering campaigns targeting sports organisations in the UK has revealed how unprepared they are to tackle various forms of cyber threats.
Earlier today, a report from the National Cyber Security Centre has revealed how hackers are carrying out a range of attacks to defraud sports organisations to make quick money. According to the cyber security watchdog, at least 70% of sports organisations have suffered a cyber incident every 12 months, more than double the average for UK businesses.
The fact that cyber criminals are actively targeting sports organisations may not come as a surprise- considering that sport contributes over £37 billion to the UK economy each year, employs hundreds of thousands of people, oversees a large number of high-value transactions every day, and is heavily reliant on digital technology.
According to NCSC, a vast majority of sports organisations in the UK are storing the personal information of employees, customers and beneficiaries electronically, have internal online business systems, carry out online transactions, use online sharing platforms, and provide customers the ability to order, book, or pay for services online. These capabilities leave sports companies, that do not have watertight security protocols, wide open to various cyber threats.
A third of cyber incidents have resulted in financial losses to sports companies
NCSC found that around a third of cyber incidents suffered by sports organisations in the UK resulted in direct financial damage of up to £100,000 per incident, with the financial damage per incident averaging more than £10,000. Most of the cyber attacks aimed at these companies are not sophisticated and involve hackers using phishing, password spraying, and credential stuffing tactics to defraud their victims.
In one particular incident, hackers were almost successful in defrauding a Premier League club into paying them £1 million during a transfer window. The hackers first stole Office 365 login credentials of the Managing Director of the club by luring him into entering his credentials on a fake Office 365 login page.
Using the stolen credentials, the hackers monitored account activity and learned about the impending transaction of £1 million with a European club. "The attackers assumed the identity of the MD and communicated with the European club. Simultaneously they created a false email account and pretended to be the European club in communications with the real MD. At this point, the football clubs thought they were talking to each other, but both were talking to the cyber criminals.
Another incident involved a ransomware attack on an EFL club that resulted in the crippling of the club's corporate and security systems and stalling of CCTVs and turnstiles that almost resulted in the cancellation of a match. Hackers also lured an employee at a UK racecourse into making a £15,000 transaction on a fake eBay website to purchase grounds keeping equipment.
"The cyber criminals sent an amended payment request to the MD, changing the real bank details to an account they had control of. The transaction was approved and the Premier League club almost lost £1 million. Fortunately, the payment did not go through. The cyber criminals’ account had a fraud marker against it and the bank refused the payment," NCSC added.
“Sport is a pillar of many of our lives and we’re eagerly anticipating the return to full stadiums and a busy sporting calendar. While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, Director of Operations at the NCSC.
“I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime.”
Most sports organisations are not focussing on preventing fraud
According to NCSC, the arrival of GDPR certainly forced organisations to review their cyber security practices and prioritise the protection of personal data, due to which only 8% of surveyed organisations had experienced a personal data breach in the previous 12 months.
However, most organisations have adopted a defensive risk management approach to avoid being fined but this has moved their focus away from fighting fraud. Only 2% of organisations have cited prevention of fraud as a primary cyber security objective.
There are many other factors due to which sports organisations are unable to implement additional cyber security measures to prevent fraud and fight social engineering attacks. While 64% of organisations are grappling with budgetary pressure, 14% have a lack of staff and resources, 9% cannot recruit staff with the required skills, 9% don't know what steps to take to make improvements, and 7% don't have the time to make improvements.
Commenting on cyber criminals training their guns at sports organisations, Javvad Malik, security awareness advocate at KnowBe4, said that most spearphishing attacks and BEC scams rely primarily on social engineering tricks to fool employees into making payments into accounts owned by the criminals.
"It's important that all organisations look to investing in robust layered security that can offer technical protections, detection, and response categories, as well as having good procedures, and ensuring all staff have appropriate and timely security awareness and training so they can identify any attacks," he added.