NCSC reveals scale of cyber attacks on UK sports industry

At least 70% of sporting institutions, organisations and teams in the UK have suffered a security incident in the past 12 months, according to the National Cyber Security Centre (NCSC), which has just published its first-ever report on the impact of cyber crime on one of the country’s highest-profile industries.

Although the NCSC has not named any names, some of the incidents disclosed in the report, Cyber threat to sports organisations, include: blocked turnstiles at stadiums after systems were taken offline by ransomware, which almost led to the cancellation of a football match; a £15,000 loss to a racecourse after a staff member fell victim to an eBay scam promising equipment that never materialised; and even an attempt by organised criminals to sabotage a Premier League transfer deal after a club’s managing director had his emails hacked – in this case, the cyber criminal gang was foiled and missed out on a £1m bonanza.

The NCSC said cyber criminals tended to use three common tactics to target the sports industry – business email compromise (BEC), cyber-enabled fraud, and shutting down critical systems with ransomware.

About 30% of the incidents reported to the NCSC caused direct financial damage to the victim, averaging £10,000 per attack, and the biggest single loss clocked in at £4m. Some 40% of the reported incidents involved malware, and a quarter of those were ransomware attacks.

“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show that the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, operations director at the NCSC.

Chichester said that with the sports sector still struggling to recover from the impact of the Covid-19 pandemic, sporting organisations could reduce their wider risk exposure easily and quickly by paying more attention to cyber security.

“Sport is a pillar of many of our lives and we’re eagerly anticipating the return to full stadiums and a busy sporting calendar,” he said. “I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime.”

Hugh Robertson, chairman of the British Olympic Association, said: “Improving cyber security across the sports sector is critical. The British Olympic Association sees this report as a crucial first step, helping sports organisations to better understand the threat and highlighting practical steps that organisations should take to improve cyber security practices.”

Tony Sutton, chief operating officer at the Rugby Football League, added: “The issue of cyber security is one that all sports, including rugby league, take seriously. As we grow our digital capabilities and online platforms, protecting the governing body, our members, customers and stakeholders is paramount. We welcome the NCSC report and the guidance it offers the sports sector.”