Behind the excitement, comradery, and competition of large-scale sporting events is a darker endeavor – threat actors target these high-profile gatherings to steal data, commit fraud and disrupt the experience for athletes and fans.

Attacks on iconic events like the Olympics, Premier League games, FIFA World Cup, and the Super Bowl have escalated in recent years. A 2020 survey by the UK’s National Cyber Security Centre (NCSC) found that 70% of sporting organizations are hit by at least one cyberattack annually.

Now we’re seeing a new trend in which attackers are also targeting individual athletes and fans.

Expanding the Targets

The amount of data collected and shared online before and during large sporting events is low-hanging fruit for attackers. Athlete health and personal data are tracked with digital systems, stadiums are integrated with smart technologies, and fans use apps for the entire event from ticket purchase to entry to the game experience.

Attacks against fans take advantage of the likelihood that they will click a bad link or fill out a fraudulent form in pursuit of the event experience. For example, a 2023 report from Lloyds Bank found fraudulent ticket scams on social media had more than doubled from 2022.

Similarly, athletes who use social media to build their brand often don’t have the cybersecurity awareness training to know what’s not legitimate communication and can fall victim to monetary fraud scams. Global Accounting and Consulting firm EY reported in 2021 that professional athletes allegedly lost more than $600 million to fraud schemes from 2004 to 2019, and attacks are ramping up in conjunction with rising athlete income from salaries and endorsements.

Inviting a Hidden Opponent to the Field

The numerous access points created by digitization of the event experience make large-scale, international sporting events a prime target for these common attacks:

• Business Email Compromise (BEC)

In the same 2020 survey by the NCSC, BEC was named the biggest cyber threat to sports organizations. It’s important to note that while called ‘business email compromise”, attackers gain access to individual email accounts – such as that of an executive. Posing as trusted figures, attackers email contacts asking for money or financial information, often resulting in an unauthorized transfer of funds.

• Distributed Denial of Service (DDoS)

DDoS attacks against organizations and events have surged in recent years; the Rio Olympics faced DDoS attacks that reached a whopping 540 GB per second. Adversaries leverage DDoS attacks to make powerful statements, for financial gain, or to send a politically-motivated message. The DDoS attack that disrupted the live broadcast of Poland’s Euro 2024 soccer tournament has been blamed on Russian hackers intent on preventing Polish fans from watching the match online.

• State-Sponsored Hacking

International sporting events present a rare opportunity to commit espionage. During the 2014 Sochi Olympics, Russian operatives attacked Android devices using a zero-day vulnerability. Similarly, at events like the 2008 Beijing Olympics and the 2016 Rio Olympics, governments allegedly tampered with athletes’ electronic devices, sometimes leaving them disassembled after extracting data.

• Ransomware

Ransomware has made its mark on sporting events as recently as 2022, when the San Francisco 49ers announced that the personal information of more than 20,000 employees and fans was compromised in a ransomware attack. While ransomware is often an attack tool, it functions more as a “step two” for other attacks against large-scale sporting events. With the information gained via BEC, DDoS, and state-sponsored attacks, adversaries can then deploy ransomware in the corporate environments attached to that information.

Motivations Behind Sporting Event Attacks

There isn’t just one motivation for threat actors to target sporting events, teams, athletes and fans. Sometimes it’s about financial gain. Sporting events are rife with money. Professional athletes are often signed onto multi-million dollar contracts and deals, fans are spending big bucks before and during events, and organizations hold valuable personal data on attendees, athletes and sponsors.

High-profile events like the Olympics carry the widespread visibility “hacktivists” want if their goal is to make a political statement or gain leverage over a certain cause, and geopolitical unrest heightens the significance of cyberattacks. Espionage can be another motive. The convergence of international officials and leaders, media and athletic organizations allows attackers to gather intelligence data they can then exploit to gain control over organizations or governments.

Managing and Monitoring Cybersecurity for Large-Scale Events

There are steps an organization can take to reduce the likelihood of an attack.

Implement cybersecurity awareness and training. Educate employees and athletes about how to identify phishing emails and spam text messages, as well as how to properly use security processes like multi-factor authentication.

Implement a multi-layered security framework. Fortify your network against data breaches and unauthorized access by deploying firewalls, detection and prevention systems, and strong encryption protocols. Establishing this stronghold before an event adds an important layer of security against adversaries.

Conduct regular security assessments to identify gaps and vulnerabilities. Understand the strengths and weaknesses in your network infrastructure, and conduct assessments following any major corporate changes, such as mergers or acquisitions of teams, players or leagues.

Invest in a 24/7 SOC. Keep an eye on the security of your network infrastructure and information platforms leading up to and during the event. After an event, the security solutions deployed often remain in place, establishing a new baseline for security visibility. You can also leverage events to secure additional budgets for enhancing security measures.

Conduct Penetration Testing. Pen testing before and after an event is critical, especially for new platforms or infrastructure implemented to support the event.

The world will always coalesce around sporting events, and protecting participants and attendees requires careful planning and coordination across multiple fronts. Understand the risks and secure your network to keep the bad players out of the game.