According to 2017 reporting, Major League Baseball believed that the Boston Red Sox, at the time in first place in the American League East, used the Apple Watch to illicitly steal hand signals from opposing teams. Allegedly, the Apple Watch was used to not only “steal” hand signals from opposing catchers in games using video recording equipment, but transmit the information likely to team trainers. The theft of such information would help determine the type of pitch that was going to be thrown. The recording of signals is strictly forbidden by league rules.
When it comes to targeting billion-dollar sports franchises, many would assume that cyber crime would be the foremost cyber actors behind the scenes. Based on a 2015 report that estimated the professional sports market in North America to have an expected worth of $73.5 billion by 2019, it’s easy to see why. Indeed, there have been several incidents where cyber crime operations have focused on professional sports teams. In April 2016, the National Basketball Association Milwaukee Bucks players had their financial documents (player addresses, Social Security Numbers, and compensation) accidentally leaked due to a team employee falling victim to an e-mail scam. The employee released players’ 2015 IRS W-2 documents to an emailer impersonating the team’s president. Also in 2016, a crippling TeslaCrypt ransomware attack impacted a NASCAR racing team. An estimated $2 million worth of information was potentially lost prompting payment of the ransom to the criminals.
Taking into consideration the money driving the domestic and international sports market, the competitive nature of teams and leagues, and the political nature of global events, it should not come as a surprise that cyber espionage – whether prompted by a competitor looking for an advantage or a nation state – has put sports in its cross hairs. Granted, the majority of cyber espionage incidents garnering international attention are focused on alleged nation state activity seeking to steal intellectual property, money, or used to infiltrate critical infrastructure networks. However, whether being the targets or the orchestrators of illicit activity, the sports industry has joined the ranks of cyber espionage.
For example, in June 2015, the FBI announced it was investigating the St. Louis Cardinals baseball team for allegedly hacking rivals the Houston Astros to steal performance data. Cardinals executives were suspicious when the former General Manager allegedly took proprietary information with him when he moved to the Astros, underscoring the need for more robust cyber security practices such as password changing requirements and two-factor authentication. During the 2015 Tour de France, the general manager of Team Sky stunned the world of cycling by alleging that unknown hackers had accessed reigning Tour champion Chris Froome’s performance data as part of a campaign to discredit him.
Unsurprisingly, larger international sports organizations have been targeted by suspected nation state actors seeking to gain insight into the organizations themselves, or else steal data that could be used for other malfeasant purposes. In September 2016, suspected cyber espionage actors with a nexus to Russia were alleged to have stolen medical data of Olympic stars from the World Anti-Doping Agency after the 2016 Rio Olympics, releasing some of it in order to cause public embarrassment of U.S. athletes and threatening to leak more in the future. In 2008, the International Olympic Committee, as well as several other Olympic committees, were breached in the months leading up to the Beijing Olympics. Three targeted entities were located in Taiwan and 49 were located in the United States whereas none were in China (with the exception of a U.S. News Organization’s Hong Kong Bureau).
Sports joined other critical infrastructure organizations in forming an industry-specific information sharing and analysis organization (ISAO) to help track and inform one another on threats targeting sports. Founded by the Cyber Resilience Institute and launched in August 2016, the Sports-ISAO is an Information Sharing and Analysis Organization dedicated to protecting the culture of professional and amateur sports around the world. It is a membership organization with targeted programs for leagues, teams, athletes, coaches, sponsors and other sports-related organizations seeking to engage in cybersecurity threat intelligence sharing.
Sports-themed cyber scams continue to be a favorite lure for hostile cyber actors, particularly in the weeks leading up to major events like the Super Bowl or World Series. But industrial cyber espionage activities targeting specific teams and official organizational bodies appears to be increasing, as valuable sensitive information can provide advantage and competitive insight to opposing teams. Sports organizations need to join other industries in devising cyber security strategies that focus on risk management principles to protect the unique information and processes. Because sports are more than entertainment; it’s a business whose interests continue to expand globally. Now that gambling has become legalized in many U.S. states, there’s more money to be made on them than ever.
This is a guest post by Emilio Iasiello