Premier League clubs are expected to tighten cyber security methods as investigators warn a hack on Manchester United is just the tip of an iceberg.
United are believed to be facing a seven-figure ransom demand over the attack, which has left the club unable to yet fully restore its computer systems. GCHQ cyber security agents have been called in to help.
The National Cyber Security Centre recently published a report showing 70 per cent of major sports organisations are targeted by hackers every 12 months.
Ciaran Martin, a professor at the University of Oxford’s Blavatnik School, told Telegraph Sport on Friday night how he saw attacks on sporting organisations rise while he was chief executive at the NCSC.
“The risk to sport was on the up, not markedly, but incrementally, because of the realisation by potential attackers of rich sources of data and money that might be available from sporting organisations,” he said. “It’s big business, as we all know.”
Manchester City say it is a “matter of public record” that they have also been repeatedly targeted. In February, an IT worker was arrested amid claims he got players’ personal details and records of confidential transfer talks from Pep Guardiola’s email account. Last week, it also emerged British athletes were among hundreds of female sports stars and celebrities whose personal photographs had been breached in an iCloud attack.
“Sports organisations are at risk from cyber attacks for two reasons,” Martin, one of the leading figures in the UK’s fight against cyber crime, said. Nation-state attacks – such as Russia’s breach against the World Anti-Doping Agency in August 2016 – are high profile, but rare, he explained. “The other, which looks more likely here – although I must stress I don’t know the details because I’m not in Government any more – would appear to be a standard criminal ransom attempt to extort money by encrypting data or otherwise compromising data.”
The Football Association beefed up its security ahead of the World Cup in Russia in 2018, but many Premier League clubs have yet to bring their security levels in line with some other sectors.
Government has no powers to stop victims paying out ransoms in such circumstances unless attackers are on prescribed terror lists. In United’s case, it is unlikely that the criminals are on the hit list of the US Treasury Department, which has powers to issue fines of up to $20million (£15million) in such circumstances.
Martin says there is nothing “exceptional” about sports being targeted, but “organisations with data and money will tend to attract criminal attackers like everybody else”. “Improvements in cyber hygiene resilience and ability to cope with incidents, having backups and so forth, are absolutely key,” he added. “Hackers will not always know what they’re targeting.”
Unted confirmed the hacking on Nov 20 and said they were not “aware of any breach of personal data associated with our fans and customers”.
As of Thursday night, club staff still did not have access to email, and some other functions were also unavailable.
The NCSC said it dealt with more than three times as many ransomware incidents compared with last year and noted that criminals were changing their approach during such attacks to increasingly threaten to leak information publicly unless payment is made.
Steve Kuncewicz, a partner and sports law specialist at BLM, told The Telegraph: “I think United did the right thing by getting out in front of it as best they can by letting their fans know that they don’t think any of their personal data has been compromised, because what they do next will depend upon the extent of the infiltration.”
The NCSC says “the primary cyber threat to sports organisations comes from cyber criminals with a financial motive”. “Major losses have been experienced by sports organisations as a result of bespoke attacks, where criminals have harvested information before undertaking fraudulent financial transactions,” the report concludes.