Menu
Opinion

How a new defensive line can protect sports properties

Editor’s note: This column is corrected from the print edition.

Professional sports organizations, from leagues to teams and players associations, are increasingly leveraging technology to inform game strategy, devise marketing campaigns, and connect with fans.

Using technology in these ways brings tremendous advantages, but it also carries significant risks. News regularly breaks about major data security incidents at leading retailers, financial institutions, and even the U.S. government. Sports organizations are similarly vulnerable as they increase reliance on technology. And their outsized attention can heighten the risk, and exacerbate the consequences, of cyber-attacks. Numerous incidents have occurred in the athletic world over the past years, and they contain valuable lessons.

In a highly publicized event, the scouting director of the St. Louis Cardinals, Chris Correa, accessed the computer systems of the Houston Astros. According the FBI, he did so on numerous occasions by logging into the team’s network with a password similar to one used by a former Cardinals employee who had left for a job with the Astros. Correa reportedly stole sensitive information, including the Astros’ list of players eligible for recruitment in the 2013 amateur draft and notes regarding potential player trades. The attack prompted an FBI investigation and federal prosecutors ultimately filed criminal charges. Correa eventually pleaded guilty and was recently sentenced to nearly four years in prison. An ongoing MLB investigation could also result in punitive measures against the Cardinals. This incident demonstrates that basic access and secure password protocols can go a long way toward protecting sensitive assets, and that some sports organizations are falling down on simple cyber hygiene.

Another recent example involved a stolen laptop from a Washington Redskins athletic trainer’s car. The computer contained medical records of Redskins players and potential recruits observed at the NFL combine, records dating back as far as 2004. The laptop appears to have been password-protected, but critically, its data was not encrypted and therefore is vulnerable to exposure. The Redskins have publicly recognized that failing to encrypt their hardware was a mistake, vowing to “prevent future incidents” by, among other things, “encrypting all laptops.” The incident reportedly has prompted an internal investigation by the NFL, which appears to view the episode as a wake-up call, imploring all teams to review and improve their security protocols.

Former Cardinals scouting director Chris Correa was sentenced to nearly four years in prison and ordered to pay $279,083 in restitution for hacking the Astros’ player personnel database and email system.
Photo by: AP IMAGES
There have been other less publicized, but equally alarming, cases. Around the same time as the Redskins theft, a cybercriminal used a phishing email to masquerade as the Milwaukee Bucks president and access tax documents containing sensitive player information. In February 2014, a trojan infected the Marussia Formula One team’s computer systems, knocking out a day’s worth of testing data ahead of a major race. And back in 2008, hackers used malware to commandeer the fan sites of Britain’s Arsenal soccer team and the New York Jets.

The threat is not limited to attackers who pursue commercial goals; political actors have taken advantage of sports organizations. In March 2015, ISIS sympathizers hacked into and defaced the website of Ohio’s Eldora Speedway. An English rugby club fell victim to similar attacks in November 2014, and in February of that year, supporters of Syria’s president hacked into FC Barcelona’s Twitter account to protest the team’s sponsorship by Qatar Airways. Such attacks not only disable normal social media functions but also threaten the trust that prominent brands have established with their fans.

In addition to such commercially and politically motivated hackers, a cybervigilante group reminiscent of WikiLeaks has emerged in the world of European soccer. The media has reported that the organization, which calls itself “Football Leaks” and first surfaced in September of 2015, aims to expose controversial business practices involving European soccer teams. The group has leaked a number of third-party ownership contracts, by which speculators can purchase financial interests in the future performance of sought-after players, a practice recently banned by FIFA.

As the examples above illustrate, sports organizations’ reliance on technology may have outpaced their investment in cybersecurity. The first step in ratcheting up cyberdefenses is to identify the assets that require protection. Some assets, such as performance analytics and consumer data, are obvious. But others often go overlooked. A prime example is the personal information that teams maintain about players, including compensation figures, medical records, drug test results, and notes from internal investigations of past indiscretions — anything that would affect an athlete’s playing ability, employability, or reputation. The loss of such information could erode the trust between players and the organizations that are meant to look out for them.

After identifying key assets, those in charge of cybersecurity must take three steps:

Develop proper policies and procedures.
Install the right network architecture.
Train employees.

Policies and procedures could include a prohibition on removing sensitive data from the organization’s physical premises. Secure network architecture would confine important information to protected channels, for instance, by requiring the kind of encryption that may have rendered the Redskins theft harmless. And adequate training would teach members of the organization how to identify threats, including phishing emails like the one that enabled the Bucks breach.

Finally, sports organizations should dedicate resources to incident response planning. Just as sports teams make time to write, study and practice the contents of a playbook, sports organizations have to articulate, review and field-test security protocols. They should require all employees to know the protocols thoroughly, and they must test that knowledge by running breach simulation exercises.

Professional sports organizations are sophisticated businesses that manage sensitive information. The multitude of recent cyber incidents in the sports industry demonstrates what happens when sports organizations do not invest enough in cybersecurity: They fall prey to hackers who are increasingly skilled and who focus on an ever wider range of targets. The threat may be amorphous, but there are concrete steps that sports organizations can take to avoid incidents. Such steps are fundamental, and in the realm of cybersecurity — as in athletics — the fundamentals are essential.

Richie Birns (rbirns@gibsondunn.com) is a partner and co-chair of Gibson Dunn’s Sports Law Practice Group. Alexander Southwell (ASouthwell@gibsondunn.com) is a partner and chair of Gibson Dunn’s Privacy, Cybersecurity and Consumer Protection Practice. Ben Arad is a former associate in Gibson Dunn’s litigation department.

SBJ Morning Buzzcast: March 18, 2024

Sports Business Awards nominees unveiled; NWSL's historic opening weekend and takeaways from CFP deal

ESPN’s Jay Bilas, BTN’s Meghan McKeown, and a deep dive into AppleTV+’s The Dynasty

On this week’s Sports Media Podcast from the New York Post and Sports Business Journal, ESPN’s Jay Bilas talks all things NCAA. Big Ten Network’s Meghan McKeown shares her insight into the Caitlin Clark craze. The Boston Globe’s Chad Finn chats all things Bean Town. And SBJ’s Xavier Hunter drops in to share his findings on how the NWSL is making a social media push.

Learn more about your ad choices. Visit megaphone.fm/adchoices

SBJ I Factor: Nana-Yaw Asamoah

SBJ I Factor features an interview with AMB Sports and Entertainment Chief Commercial Office Nana-Yaw Asamoah. Asamoah, who moved over to AMBSE last year after 14 years at the NFL, talks with SBJ’s Ben Fischer about how his role model parents and older sisters pushed him to shrive, how the power of lifelong learning fuels successful people, and why AMBSE was an opportunity he could not pass up. Asamoah is 2021 SBJ Forty Under 40 honoree. SBJ I Factor is a monthly podcast offering interviews with sports executives who have been recipients of one of the magazine’s awards.

Shareable URL copied to clipboard!

https://www.sportsbusinessjournal.com/Journal/Issues/2016/08/29/Opinion/From-the-Field-of-Cybersecurity.aspx

Sorry, something went wrong with the copy but here is the link for you.

https://www.sportsbusinessjournal.com/Journal/Issues/2016/08/29/Opinion/From-the-Field-of-Cybersecurity.aspx

CLOSE