Sports industry urged to reform cyber security after £1m Premier League phishing scam

NCSC report argues greater awareness is needed as industry attacks surge

The managing director of a Premier League football club narrowly avoided losing £1 million during a transfer window after their email account was targetted by hackers.

The incident has sparked calls for greater cyber security awareness in the sporting industry, one that can prove to be particularly lucrative for hackers.

The unnamed club was saved at the last minute by the other club's bank, which intervened when it was clear that the money was being sent to a fraudulent account, according to a National Cyber Security Centre (NCSC) report.

The incident is almost an exact replica of the successful phishing scam against Italian club Lazio in 2018, which resulted in €2 million being lost to scammers.

According to the report, the managing director of the unnamed Premier League club had entered his credentials into a spoofed Office 365 page operated by hackers. When the transfer window opened, the thieves possed as this MD to intercept the transfer negotiations, talking directly to the European club attempting to buy a Premier League player. The European club's bank managed to spot the discrepency during payment in time, halting the transfer.

This is just one of a number of security incidents the NCSC has used in The Cyber Threat to Sports Organisations report to highlight just how lucrative the industry is to hackers. According to the report, at least 70% of sports institutions suffer a cyber incident every 12 months, which is more than double the average of UK businesses.

Another example from the football league saw a ransomware attack shut down a club's stadium. The hack encrypted all of the club's IoT devices, resulting in the loss of locally stored data and the shutdown of its stadium turnstiles, which almost resulted in the postponement of a fixture.

The club was asked to pay 400 Bitcoin to get its systems back online, which it ultimately refused. According to the NCSC report, the attacker remains unknown, but the attack was likely preceeded by either a phishing email or a remote access hack through its CCTV system.

Related Resource

Phishing and fraud report

Simple yet effective attacks you can’t afford to ignore

Download now

"While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real," said Paul Chichester, director of operations at the NCSC.

"I would urge sporting bodies to use this time to look at where they can improve their cyber security - doing so now will help protect them and millions of fans from the consequences of cyber crime."

Away from football, phishing scams using a spoofed eBay account managed to pull in approximately £15,000 from staff members at a racecourse. An organisation that holds athlete performance data also had a compromised Office 365 email account that had been automatically forwarding personal information to a hacker's email address. 

Around 30% of the incidents in the report caused direct financial damage, with an average of £10,000 being lost each time. The biggest single loss was £4 million, according to the NCSC.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021

Most Popular

HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021