The UK’s National Cyber Security Centre has revealed in a new report that stadium technology has become a prime target of criminals as part of an escalating campaign of attacks against the country’s sports industry.

In the NCSC’s first ever report on threats to the sports sector in the UK, it was revealed that 70% of institutions within the industry, including clubs and stadium operators, are subjected to a cyber incident every 12 months – more than double the average for UK businesses.

Crucially, whilst cyber-enabled fraud and business email compromise (BEC) attacks have been used to extract money, it is ransomware – which is a form of malware that encrypts files, with the attacker then demanding a ransom, usually via a cryptocurrency – that has been used to shut down “critical event systems and stadiums”.

The report, which described sport as a “high-value target”, said that in one incident an English Football League club suffered a significant ransomware attack that “crippled their corporate and security systems”. As a result, the CCTV and turnstiles at the club’s stadium were unable to operate, almost leading to a fixture being postponed.

The report noted that more than 80% of the organisations have online business systems, such as ticketing, “which process thousands of financial transactions,” and are therefore potential targets for hackers.

The report also found that about 30% of such incidents cause direct financial damage, with the average cost being £10,000, although one attack led to a loss of more than £4m. Whilst the majority of sports institutions experience a cyber incident every year, nearly a third ensure more than five such attacks in the same period.

Approximately 40% of attacks on sports organisations involved malware, with a quarter of those involving ransomware, which has become an increasing problem for businesses worldwide.

In 2015, ransomware was used to extract $24m worldwide, but by 2019, the figure had rocketed to an estimated $11.5bn.

The report states that although most organisations have basic security measures in place – such as antivirus, firewalls and user-access controls – 21% of surveyed companies do not have a patching strategy to add crucial updates to their systems and 25% do not back up their data, leaving them exposed to ransomware attacks.

“Sport is a pillar of many of our lives and we’re eagerly anticipating the return to full stadiums and a busy sporting calendar,” the NCSC’s director of operations, Paul Chichester, said.

“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real.

“I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime.”

The NCSC report can be downloaded here.

Image: Ungry Young Man – (CC by 2.0)