pixfly - stock.adobe.com

Feature

What are the cyber threats to the 2026 Fifa World Cup?

Dig deeper on some of the security issues facing the 2026 World Cup as the tournament faces unprecedented threat levels and challenges

Alex Scroxton
By
Published: 18 Jun 2026

In the run up to the troubled Fifa World Cup 2026 in Canada, Mexico and the US, national headlines have been dominated not by cyber security, but by border security, with tighter entry and Visa restrictions in the US leaving teams, players and officials in a bind, with some banned from entering the country altogether.

Fortunately, at the time of writing – mere hours before England’s Wednesday 17 June opener against Croatia – no major cyber breaches have come to light.

But behind the scenes, the security community has been warning for weeks that the 2026 tournament faces a level of cyber threat unprecedented in the tournament’s history – although, granted, the threat was low to non-existent up to the early 2000s.

Kevin Curran is a senior member of the Institute for Electrical and Electronics Engineers (IEEE) and professor of cyber security at Ulster University in Northern Ireland. He says that besides being the largest World Cup in history, the digitisation of everything from ticketing systems to official apps, streaming services, accreditation databases, stadium networks, sponsor platforms, and much more, has dramatically widened the tournament’s attack surface.

He describes each of these systems as a door that someone must keep locked for the duration of the event. “Attackers only need to find one that is ajar – defenders must secure all of them,” he says.

Sadly, these attackers are getting through all too often. Research published earlier in June by UK cyber firm Darktrace revealed that over 80% of the professional sports organisations it works with were affected by cyber security incidents in the past 12 months, with 57% experiencing multiple attacks. The average cyber incident in sports now costs $169,000 (£126,000) but Darktrace says the real financial impact is compounded, with the most frequently victimised organisations facing cumulative annual remediation and recovery costs of almost $2m.

But the impact is not just financial, with exposed data leading to deep and immediate public and reputational impacts. Sports teams and other bodies inevitably hold private data on multiple famous and high net worth individuals, so contents of the databases held by Premier League teams are inevitably a temptation to attackers.

Darktrace’s report, titled Cyber security in global sport: threats, signals, and strategic implications for a digitised industry, also reveals that Darktrace’s sports sector customers are on the receiving end of a fifth more phishing emails than other industries. Its proprietary /EMAIL service stopped more than 116,000 distinct emails targeting such customers in the six months up to March 2026.

Out of these malicious messages, 21% targeted VIPs, 38% were spear-phishing attempts, 84% successfully passed DMARC authentication, and 37% contained “novel social engineering features”, according to Darktrace.

“Professional sport is a high-pressure environment where timing matters,” says Nathaniel Jones, vice-president of security and AI strategy at Darktrace. “A suspicious login, unusual data movement or unexpected AI agent action may look small in isolation, but during a live event it can become operationally significant very quickly. 

“The most effective way to mitigate the risks facing sports organisations both internally and from external actors today is to adapt a behavioural approach to security. That means shifting away from rules and signatures and focusing on understanding both human and AI [artificial intelligence] behaviour inside your environment.”

The challenge of AI

Jones rightly raises the spectre of artificial intelligence (AI), which is now almost but not quite as pervasive as the melody of The Great Escape theme during an England game.

The Darktrace study found that 83% of cyber pros working in the sports industry believed they had detected AI being used against them in the past year, and 72% believe AI will increase cyber risk over the next year. At the World Cup, the risk is compounded by the confluence of high-profile live events, high-value user data, public pressure, fixed schedules, large partner and supplier networks, and the chance for a successful cyber attacker to have their name plastered all over the front pages.

But AI is also an internal issue in sports; a third of participants in Darktrace’s study said they were using or planning to use AI in areas like ticketing, fan engagement, or marketing, compounding the headache for defenders who are left to deal with the risks development and deploying AI introduce to the business – almost half said this was a concern.

Darktrace said that as sports organisations expand their AI use into more critical areas of operation, they must give their security teams better visibility into what AI tools are able to access, what they can do and how the underlying AI infrastructure itself might be misused.

As AI expands across the industry, the advice to sports organisations differs little from that offered to any other vertical – behavioural approaches to security will become more vital to securing events, and as part of that defenders must understand what normal looks like so that they can detect threats blending into normal activity, whether they emanate from an external attacker, a compromised account or an “offside” AI agent.

The report highlights six areas that need urgent focus:

  • Threat modelling;
  • Supply chain governance and vendor access control;
  • Segmentation across information and operational technology (IT/OT) and public-facing systems;
  • Identity-centric security, including universal multifactor authentication (MFA);
  • Phishing resilience;
  • Operational playbooks aligned to live event constraints.

The quantum World Cup

With a surge in online activity around the World Cup, attackers will likely exploit high engagement levels with ticketing platforms, fantasy leagues, merch drops and streaming services to quietly collect, sift and stockpile personal data for future use.

This phenomena, known as “harvest now, decrypt later”, heralds the advent of workable quantum computers that will almost certainly break existing data encryption standards, at which point any encrypted data stolen in the past can be exposed at will.

Spencer Starkey, executive vice-president at SonicWall, warns that the World Cup presents an ideal opportunity for such data collection, and unfortunately any engaged fan could be at risk.

“Adversaries are focusing on harvesting data – names, payment details, location patterns – all from people who are just excited to be there or watching from home. They are signing up for free drink vouchers and entering competitions to win certain players’ tops. They aren’t paying attention,” says Starkey.

“The data probably won’t get used straight away, it will get stockpiled. And when quantum computing makes encrypted datasets readable, everything collected now becomes a liability. So, you might not see the real threat from the World Cup for another decade.” 

But generative AI (GenAI) is not just an internal problem for sports teams and organisations such as Fifa. It’s affecting fans too, whether watching from the comfort of their living rooms or pre-gaming in an American dive bar.

“Generative AI has lowered the cost of deception. A convincing phishing email no longer betrays itself through clumsy grammar; it can be produced flawlessly, in any language and personalised at scale,” says the IEEE’s Curran.

“Voice cloning and deepfake videos have moved from novelty to a fraud instrument, and we are already aware of AI-generated content weaponised around sporting and geopolitical events in 2026. A fan who once learned to spot the tell-tale signs of a scam is now facing forgeries with no obvious tells,” he says.

“The tournament [also] depends on a sprawling supply chain of vendors, contractors and third-party platforms, any one of which can become the weak link that exposes the whole. [For example], travelling fans connect devices to unfamiliar public Wi-Fi in three countries, often roaming and distracted, which is precisely the condition attackers prefer.”

Chris Olson, CEO of The Media Trust, which supplies digital trust and safety systems to digital publishers, adtech companies and media outlets including the BBC and NBC in the US, makes a similar point to Curran.

“The World Cup doesn’t just sell out stadiums, it sells out consumers,” says Olson. “What most people don’t realise is that scammers aren’t just building fake ticket sites and waiting, they’re buying ad placements to put those sites directly in front of you. The same programmatic advertising infrastructure that serves you a legitimate commercial can, with minimal friction, serve you a malvertisement that leads straight to a credential-harvesting page dressed up in FIFA branding.

“With AI now generating flawless storefronts and deepfaked urgency, the old advice of ‘trust your gut’ is officially outdated. My advice: assume any World Cup deal that reached you through a social media ad or search result is suspect until proven otherwise. Go direct, go official and treat any countdown clock or ‘limited seats remaining’ message as the manipulation tactic it almost certainly is.”

The good news is that for those England and Scotland devotees who have braved the long-haul flight to the US, the advice – while not particularly glamorous – should be effective.

“Type web addresses by hand rather than trusting search adverts or links in messages. Buy tickets and merchandise only through official channels. Enable MFA. Treat any unexpected prize, refund or last-minute ticket as a scam until proven otherwise,” says Curran. “None of this is new advice, and that is rather the point: the attacks evolve, but the basic hygiene that defeats most of them does not.”

Read more about cyber security in sports

Read more on Hackers and cybercrime prevention