The past few years have been just as kind to sports organization CISOs as Super Bowl LII was to the New England Patriots.
With their increasing reliance on information technology, the NFL, MLB, and international organizations like the IOC have found themselves increasingly bedeviled by a growing array of online security threats. Some of these target fans; others focus on squeezing illicit profits from rich sports organizations; while others exact revenge against rival teams’ online presences.
The consequences of failure can be just as disastrous for CISOs as they are for highly-paid sports heroes; the only difference is that the former don’t have a supermodel wife’s shoulder to cry on.
Easily-guessed password leads to MLB hack
When Sig Mejdal turned over his laptop to the St. Louis Cardinals after accepting a job at the Houston Astros, he inadvertently gave the Cardinals’ scouting director Chris Correa access to his new boss’ deepest secrets.
Guessing that Mejdal’s Astros login details would be little changed from his Cardinals’ credentials, Correa successfully used Mejdal’s password information to access Houston’s “Ground Control” database, eventually logging in over 50 times between 2013 and 2014 to browse through scouting assessments, player trade discussions and over a hundred pages of unspecified “confidential information”.
Correa went down hard after getting caught: he was fired from the Cardinals, banned for life from Major League Baseball, and sentenced to 46 months in prison and payment of a $280,000 restitution, even after pleading guilty to five counts of unauthorized access to a protected computer. The scandal cost the Cardinals their top two draft picks for 2017 (with an expected value of up to $20 million) and a $2 million fine.
“This isn’t a matter of gamesmanship,” explained CBS Sports’ Mike Axisa from the sidelines. “This is the executive of one private company hacking into another’s information to gain an advantage. It’s espionage.”
Phishing scheme hooks NBA team’s tax records
Losing Jason Kidd was just the latest blow in a bad couple of years for the NBA’s Milwaukee Bucks. In 2016, fraudsters impersonated team president Peter Feigin in an email requesting the Bucks players and staff’s W-2 records for the previous year.
The email recipient obliged, turning over tax records that revealed, among other things, Social Security numbers, dates of birth, compensation packages and other delicate financial statements. The breach lay undiscovered for a month; by then, the fraudsters had plenty of time to use the information they’d snagged from the phishing scheme.
The Bucks weren’t the only organization that fell victim to a W-2 phishing scheme; in 2016, over 140 other organizations reported falling for the same trick, including Seagate Technology and Snapchat.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,’’ said IRS Commissioner John Koskinen. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”
Super Bowl host website unwittingly spreads malware
“Websites related to the Super Bowl will have been a popular destination for surfers around the world in the run-up to Sunday’s game, and a prime opportunity for hackers to infect the unwary,” explained Graham Cluley, senior technology consultant for Sophos. “System administrators need to put measures in place to better defend their workers’ PCs and their networks from attack.”
If successful, the code would have installed a Trojan downloader and password-stealing software on the user’s Windows-enabled computer, allowing the hackers to compromise the hardware at their leisure.
That’s a big “if” – the exploit would not work on Windows machines with up-to-date patches, covering most users who set their devices to receive automatic updates. If your machine hadn’t been updated in a while – then good luck keeping your data safe!
DDoS attack takes bookie’s website down
A distributed denial of service (DDoS) attack is like a football tackle – you never know when you’ll get hit, and it takes you down completely when it happens. British bookmaker William Hill and the Australian Olympic swimming governing body both experienced crippling DDoS attacks in 2016.
William Hill experienced intermittent service for about 24 hours, forcing the bookie to miss out on several popular Champions League soccer matches. Gambling.com estimates “that single day may have cost the odds maker over £4 million.”
A similar DDoS attack took out the website belonging to the body that supervises Olympic-level competitive swimming in Australia. Unlike the bookie attack above, the swimming DDoS seems to have a clearer motive: payback for an Australian swimmer’s accusation of illegal doping against a Chinese competitor.
And unlike the William Hill DDoS attack, the swimming body’s site managed to stay afloat with some help from anti-DDoS service CloudFlare.
NFL commissioner reads own obituary on (hacked) Twitter account
Last December, the National Football League’s official Twitter account had the sad duty to report that Commissioner Roger Goodell had gone to the great gridiron in the sky. “We regret to inform our fans that our commissioner, Roger Goodell, has passed away,” the tweet read. “He was 57. #RIP.”
Goodell was (and is) still with us: the Twitter account had been hacked (whether by guessing the password or by social engineering, nobody knows), and the hijacker only had a few minutes’ control of the 24-million-follower account before the official team regained access.
The hacker’s identity remains unknown, although Patriots quarterback Tom Brady may have been sighted with a laptop at the time.