Cybersecurity on European Football Industry
Thu, 28 Feb 2019 || By Rachmadita K

Football and cybersecurity are usually discussed in separated context because most people thought that football is all about sport and hobby, while they have not yet been aware of the cyber-threat influencing the game.

Then, why is it so important for a club to have a secure data protection system?

A few years ago, cybersecurity issues are not yet considered as an essential measure on football. However, along with the advancement of technology, football is nothing anymore just about the game between two teams consist of eleven people. More than that, football is composed of a lot of data and statistics which would affect the sustainability of order within the industry.

The data vary; starting from supporters, the players, to the board of management. A football club usually owns the personal data of their supporters who hold the seasonal ticket. At least, a club will have the data of addresses, identity card number, bank accounts to the payment method of every supporter. The bigger the club, the bigger the size of the database is. The players are also on exposure because a club owns the statistics of the player (track records on health, injury, to the training progress of every player) to the data of player’s salaries, taxes, to the transfer fees of every player. Aside, talking about player’s privacy, their data such as pictures, videos, messages, or anything on their smartphone and devices could also be threatened by a cybercrime.

In a modern football, every match; trainings; gym sessions, is vital to be recorded by the club. This recorded data then become a prominent variable in analysing performance and planning the strategy of a team. A club also owns the data from talent scouting information to the electronic mails which contains negotiations of transferring players between a club with another. Thus, if the cybersecurity system is not well-maintained, the breach of data could bring a negative impact for both the actors and systems.

How far could it be influencing the game?

The threat of cybercrime could influence the football industry in many aspects, starting from every individual actor on the game, to the club and federation. At the individual level such as supporter and especially player, their data could be hacked then widely-spread on the internet. For the player, the spread of their personal data could have a severe impact on their mental health and their reputation. Some players have already experienced the adverse effect while becoming a victim of a cybercrime. For instance, the English striker of Tottenham Hotspur, Dele Alli, ever become a victim of cybercrime when his video with his ex-girlfriend was widely-spread on the internet. Liverpool defender, Trent Alexander-Arnold, have also experienced the feelings of becoming a cybercrime victim. Arnold, becoming an object of humiliation after his conversation on Snapchat contained him asked a pregnant woman for a date, prevail the internet. Apart from the lousy effect on reputation, the personal data hacking case like this would affect the player’s mentality on the pitch because they will get mocked by their opposite supporters.

For a club, the threat of cybercrime could make worse some aspects. As aforementioned, almost all clubs especially those competing on the highest level definitely would have a lot of data and statistics starting from the training sessions to the match. If someone hacks this data of a club, and then it leaked to their rival, then this doing harms the club.

A club could also have a financial loss caused by the delicacy of cybersecurity they had. One of the club competing on highest level Italian League Serie A, Lazio, is an example of cybercrime victim which got their loss in financial stability. The criminals are hacking the detailed data of player transfer which included two clubs: Lazio and Feyenoord Rotterdam. The criminals were sending an email pretending as a Feyenoord Rotterdam's representative. This email was aimed to demand the rest of transfer fees which have not paid yet by Lazio for two million euros. Lazio that time was have nothing suspiciousness to that email and immediately send the money to pay off the bill on transferring Stefan De Vrij. The money was sent to a bank account in Netherland, but unfortunately, it was not the official bank account of Feyenoord Rotterdam. Feyenoord Rotterdam then certainly disproved the act of them sending the email and denied the accusations of receiving money from Lazio[1].

Furthermore, the cybercrime on the football industry is clearly contradictory with the sportsmanship. A football match which must have been accentuated justice and fair play will lose its meaning when the critical data of a club is hacked and stolen by their opponent. Even the result of a match could also change due to cybercrime. A study held by MDR Cyber revealed that the case of stealing cyber data on football is becoming an entrance of match-fixing practices. Along with the circulation of billion dollars bet, the football industry is the primary target for the cybercriminals to boost the match-fixing practices[2].

How is the current situation?

There is a research conducted by SecurityScorecard[3]Assessing the security posture of three richest football leagues in Europe: English Premier League, German Bundesliga, and Spain’s LaLiga, then comparing it to their football standing. The indicators of security posture are network security; DNS health; patching cadence; endpoint security; IP reputation; web application security; cubit score; hacker chatter; leaked credentials; and social engineering.

The research result was quite surprising. Among all three leagues, a similar pattern emerged: the higher the club sits in the league, the worse their cybersecurity posture tends to be. The result is as follows: Bundesliga came out as the safest, followed by Premier League and La Liga. The most common security issues were weak encryption and web application issues, followed by high severity patching issues and sensitivity of email spoofing[4].

Portrayed on a particular club, surprisingly it is Brighton & Hove Albion—which is a small club from Premier League—that come out as the top rank cybersecurity by SecurityScorecard. This result was unexpected since Brighton & Hove Albion was only two years levelled up to the highest class and still counted as a mediocre club on English Premier League. This scoring took place when they were on the 11th place on EPL standings. Meanwhile, Chelsea with its standing on the fourth place of EPL was inversely proportional towards their lowest score of cybersecurity rank.

Then, what makes big clubs tend to have a low score on cybersecurity?

SecurityScorecard offers two reasons for an explanation. First, big clubs tend to have bigger digital footprints compared to the smaller clubs. The big clubs are internationalizing heavily to build out their brand, and as a result, they are also expanding their digital footprint at a global level. So they have a lot more digital assets and ground to cover and more complexity to coverage. Moreover, with that exposure, maybe they do not have the same level of cyber maturity that traditional businesses have. The other reason is that the big clubs are a potential target by cybercriminals, nothing but the big money and market luring them.

How Industries prevent this issue?

Some clubs start to aware of protecting their player's cyber activity. The FIFA World Cup 2018 held in Russia and what happened behind the field is indicating some acts of enhancing team’s cybersecurity. BBC Sport reports that the Football Association (FA), the governing body of association football in England, is starting its concern of team’s data security especially the sensitive information such as injury, squad selection, and tactical details that could be exposed.

FA officials are pretty concerned about their IT security during their participating on World Cup in Russia. They strengthened online firewalls, and putting encrypted passwords for websites and devices. While practically, they warned the England players and staffs not to use public or hotel Wi-Fi when participating World Cup in Russia, and remind them of existing guidelines relating to their use of social media[5].

Some clubs are also starting to escalate their awareness on securing their data from players, officials, to supporters. An English club, Liverpool FC, since November 2018 is starting to build cooperation with a leading cybersecurity company, NordVPN, to highlight the increasing importance of online safety and security. NordVPN becomes Liverpool's official cybersecurity partner and will work with LFC to protect and secures the online identity and activity of users while they are accessing unsecured networks, such as public Wi-Fi in sports stadiums, hotels, cafes, restaurants, and airports.

Challenges for the future Managerial Improvements

To develop the uprising risk framework which all parties can understand when discussing cybersecurity and risk, SecurityScorecard recommends three steps that need to be taken into consideration: (1) Build cybersecurity into the Enterprise Risk Frameworks and Regulatory Compliance; (2) Establish metrics to demonstrate program maturity and comparative benchmarking; (3) Build your business case around people, processes and technology to demonstrate R[1][6]

Finally, everyone on the industry must have been aware that football is not only about the togetherness of the player and turning up to play on match days. It is indeed a big business with an enormous amount of capitals and the reputations that followed in line. A data breach could have a significant impact on the business. Important to note that just as well as sports standings that change every time, so do the cyber standings are.

Editor: Anisa Pratita Mantovani

Read another article written by Rachmadita K.

 

[1]Return on Investment (ROI).

 

[1] Amir, Waqas. (2018). Phishing Scam: Italian Football Club Tricked into Sending Out €2m to Crooks. [online] Available at :https://www.hackread.com/phishing-scam-italian-football-club-scammed/ [Accessed on 13 Feb 2019]

[2] MDR Cyber. (2018). Cyber Threats to the FIFA 2018 World Cup. Available at: https://www.mishcon.com/assets/managed/docs/downloads/doc_3156/CyberWorldCupv2.pdf [Accessed on 14 Feb 2019]

[3] SecurityScorecard is an information security company founded in 2013, based in New York City, New York, United States. Focusing on third-party management and IT risk management.

[4] McKenna, M. (2018). Top European football clubs find themselves in the relegation zone for cybersecurity. [online] Available at: https://www.techradar.com/news/top-european-football-clubs-find-themselves-in-the-relegation-zone-for-cybersecurity [Accessed on 15 Feb 2019]

[5] Conway, Richard. (2017). World Cup 2018: FA increases cybersecurity over hacking concerns. [online] Available at: https://www.bbc.com/sport/football/41230542 [Accessed on 15 Feb 2019]

[6]