Manchester United, one of the wealthiest and most decorated soccer clubs in the word, is still recovering from a disruption of its computer systems that it revealed 11 days ago.
Beyond a statement blaming “organized cybercriminals” for the incident, the club has declined to comment on who was behind the breach or whether it involved ransomware. The club said it took “swift action to contain the attack” and worked with outside security experts to minimize disruption to its IT systems.
But the incident speaks for itself in some ways. It’s a stark reminder that major sports franchises have a target on their backs from cybercriminals, even if regulators and the press don’t apply the same amount of scrutiny to data protection strategies in athletics as in other sectors, like energy and finance.
“We’ve seen more and more football clubs and other high-profile sporting businesses targeted by things like ransomware,” said Ciaran Martin, who until August headed the National Cyber Security Centre, the U.K. government’s cyberdefense agency.
Merritt Maxim, a vice president at research firm Forrester who has studied sports-related cyberthreats, said the amount of apps and other software-based tools that teams now offer fans has opened up more attack vectors for hackers.
Awareness of the threats facing the sector has grown in recent years, with sports organizations like Major League Baseball and the National Football League now employing chief information security officers. But big challenges remain, including incentivizing security investments across the sector, and convincing sports teams to share threats to their analytic platforms, which they might keep hidden as a different kind of competitive advantage, Maxim said.
An attractive target
The NCSC in July released a report detailing a number of previously undocumented security incidents in the English Premier League, where Manchester United plays, and other sports organizations, and called on the sector to tighten its defenses. Seventy percent of the 57 sporting organizations surveyed by the NCSC had experienced at least one “attack” per year, the agency said, compared to a 32% average across British businesses.
Martin said he had no knowledge of the particulars of the cyberattack on Manchester United. Generally speaking, he said, a rich organization that stores lots of personal data, and whose operations are in the public eye, represents an “attractive for a range of criminally motivated actors who are quite opportunistic.”
Few organizations in the world fit that description like Manchester United. Forbes last year valued the club at $3.8 billion; its players travel the world before every season, in non-pandemic times, to play in front of adoring fans. (Manchester United said there is no evidence that fans’ personal information was compromised in the incident.)
A Manchester United spokesperson declined to comment when asked how much the club invests in cybersecurity, in terms of personnel and dollars. The NCSC and the Greater Manchester Police are investigating the cyberattack. Both declined to answer detailed questions about who might be responsible for the breach.
The Olympic test
Sporting organizations typically face hacking threats from financially driven cybercriminals or espionage from state-backed hackers, Martin said. Prior to the release of the NCSC report, Martin said British authorities were seeing an uptick in both types of activity.
One of the most prominent examples of the latter category is Russian military hackers who allegedly targeted anti-doping organizations after Russia was banned from the Olympics.
Maxim said he expects the Olympics to continue to draw interest from state-affiliated hackers. The 2020 Tokyo Olympics were postponed until 2021 because of the coronavirus pandemic. Japanese officials will likely be preparing for unwelcome visitors at next year’s games.
“Unfortunately, the Olympics serve as a test bed, if you will, to make people think seriously about defenses” in the sports sector, Maxim said.