Every Day is Game Day for Cybercrime

Posted on November 2, 2022

Want to learn how to protect your organization?

Contact

As a nation, Americans are obsessed with sports. The sheer spectacle and excitement of the games thrill us and capture our attention and interest. From little leagues up to National Collegiate Athletic Association (NCAA) teams and professional levels, we’re dazzled by players’ skill, amazed at their focus, awed by their speed and strength, and inspired by their teamwork.

Professional sports leagues are also a huge business. In North America, the National Football League (NFL), Major League Baseball (MLB) and National Basketball Association (NBA) lead the pack, with revenues in the hundreds of billions of dollars. And of course, college-level basketball and football leagues also generate huge profits, with sums that pale only when compared to professional leagues.

The pro sports industry has a great deal in common with the movie, TV and gaming sectors. Data and technology are integral to virtually every aspect of sports operations, as they are for popular culture and entertainment segments. The many individuals working behind the scenes to ensure that sports operations run smoothly, seamlessly and profitably – business managers, back-office employees, coaches, scouts, event managers, PR managers, facility managers and more – need to be able to easily and securely access the data and apps they need. Access must be available from everywhere without risking exposure of sensitive information, in the office, at home, at events, and on the road.

Professional sports league operations also depend on a host of third-party providers and consultants like financial and tax advisors, law firms, agents, trainers, health service providers, broadcasters, and many others. To be effective, these armies of collaborating third parties typically need direct access to their clients’ systems, applications, and data. But just like any other large, distributed enterprise, sports franchises need to ensure they remain protected by adhering to zero trust security principles that dictate that access be limited to only what each party needs to do their job, and no more.

Data is the New Playing Field

Sports is a high-profile industry, and many teams are billion-dollar businesses with prominent digital footprints. The wealth of data they hold includes players’ medical information and performance stats, financial reports, customer credit card details, sponsorship agreements, scouting reports and a lot more. This data could be of value to competitors, reporters and fans, as well as bookmakers, which makes it a lucrative target for cybercriminals, who could reasonably assume that sports teams might pay hefty ransoms to keep data out of the public eye.

Teams depend on numerous digital applications to run their many business activities, including ticket sales, stadium operations, fan events, merchandise licensing and sales, training, game streaming, websites, payroll, recruitment and more. A cyberattack could disrupt player training, ticket and merchandise sales and even games, and expose teams to revenue loss, reputational damage and legal risk.

These are not hypothetical risks. Some recent high-profile attacks on sports teams and prominent sporting events include:

A BlackByte ransomware attack on the San Francisco 49’s network in which the personal information of almost 21,000 individuals was stolen.
A Babuk attack on the NBA’s Houston Rockets in 2021 in which 500 gigabytes of financial data, NDAs and contract information “went missing,” despite the cybercriminals’ failure to install ransomware on team systems.
A 2020 ransomware attack on ArbiterSports, a sports software company that helps schools, including NCAA members, staff sporting events. Many of the 540,000 sports officials and event workers whose details were exposed have joined a class-action lawsuit against ArbiterSports for failure to “utilize and implement the most basic security precautions to protect its users’ data from attackers.”
The NFL’s social media accounts along with the accounts of 15 teams were hacked on a single day in 2020.
And of course, there was the infamous state-sponsored attack on the 2018 Pyeongchang Winter Olympics which prevented spectators from printing out opening ceremony tickets they purchased.

What Makes Sports Teams Vulnerable?

Sport organizations are prominent targets for financially motivated cyberattacks, just like other industries. Attacks might also be attempts to score competitive intelligence or inside information for third parties, like sports betting. Others, like the Winter Olympics attack cited above and the 2016 attack on the World Anti-Doping agency, were politically motivated.

But a primary reason that sports teams and related organizations are in cyberattackers’ crosshairs is the one cited by the ArbiterSport attack victims: Security practices in the sector are frequently lax. So many people, vendors, applications and systems are involved in coordinating players, venues, events and business functions that maintaining seamless security hygiene and ensuring that all infrastructure is secured is a real challenge.

As in most industries, cyberattacks on sports organizations primarily start with phishing and other types of social engineering before progressing to ransomware, data exfiltration or injection of other malware. To protect their data, customers, players and business, sports teams must up their security game.

Zero Trust Cloud-Based Security: A Slam Dunk

For sports teams, cloud-based Zero Trust secure access service edge (SASE) platforms can protect sensitive player and financial data and apps from attack and exposure while enabling internal and third-party users to securely access the resources they need.

Ericom Software’s ZTEdge Web Isolation leverages remote browser isolation (RBI) to airgap users’ browsers from the dangers of the web, even when malicious content is delivered in encrypted content via applications such as WhatsApp or Telegram IMs. With RBI, all code from the web is executed in a virtual browser. Only safe rendering data is sent to users’ regular browsers, where they can interact with websites just as they would when browsing without isolation. Any attached files are deconstructed, examined and, if necessary, disarmed within the isolated container before being downloaded to the user’s device with desired native functionality intact.

Learn More about WAI

Many cyberattacks begin with phishing and BEC-enabled credential theft. By opening unknown sites in read-only mode, ZTEdge Web Isolation prevents unsuspecting users from entering credentials on even expertly spoofed websites and fake sign-in forms. ZTEdge also includes the only browser isolation solution that utilizes RBI to isolate and secure virtual meetings.

To protect sensitive sports organization data, such as information stored in a training app that could reveal player weaknesses, ZTEdge Web Application Isolation (WAI) applies least-privilege controls on user access. Because WAI is cloud-based, no installation on endpoints is needed. Yet WAI enforces granular app and data access controls for employees and 3rd party contractors – even those using unmanaged devices and BYODs. By enabling access only via the ZTEdge Global Cloud, WAI applies granular controls on access to private web apps, SaaS platforms and cloud applications, including collaboration sites like Microsoft Teams. Finally, WAI cloaks attack surfaces so hackers can’t scope out open ports or vulnerabilities to exploit.

Keep Your Sports Organization’s Eyes on the Prize

Cybersecurity defense strategies, like defensive strategies on the playing field, must be comprehensive, effective, and easily implemented. Contact us for a demo of how ZTEdge solutions can deliver on your organization’s cyber defense mission.

Share this on:

About James Lui

Ericom Software Group CTO, Americas