Professional sporting events have long been targets for violent attacks and terrorism due to the large numbers of attendees. In recent years, these events have also been the target of cyberattacks, with attackers exploiting venue operations to disrupt events, exploiting payment systems to commit fraud, infiltrating networks to steal data, and exploiting athlete and fan interactions.
While match minutes are crucial, there are many other vulnerabilities into which sports franchisees and event organizers must commit resources, including a growing and increasingly fragmented ecosystem of stakeholders including broadcast and streaming partners, ticket sellers and legal gambling platforms.
“So far, we’ve done pretty well,” Betsy Cooper, director of the Aspen Institute’s Technology Policy Hub, said during a panel at the 2024 Aspen Cyber Summit in Washington, D.C. Despite the growing threat, operators of major franchises, leagues and international events (such as the Paris Olympics) believe their proactiveness has prevented the kind of catastrophic events that other industries have faced.
1. Athletes need to train more
Athletes are increasingly relying on social media and technology platforms to connect with fans and build their brands. “I represent a lot of athletes, and a lot of them rely heavily on social media to build their brand and grow their following,” Jair Thomas, founder of Diverse Representation, a group of African-American agents, lawyers, managers, publicists and financial advisors to athletes and entertainers, said during the panel. “A lot of mistakes are made along the way, and they’re not always the most tech-savvy.”
These players are quite young and may not realize that using these platforms puts them at risk of ransomware attacks or increased risk of having their personal information compromised. “These teams are primarily made up of kids, and we need to step up our education,” Eric Tysarchik, executive vice president of the National Hockey League, said during the panel.
2. Event attendees are vulnerable
Most events now only accept electronic tickets, meaning nearly every attendee has a mobile phone, and the NHL says fans should take precautions with their devices.
“Imagine if everyone in that arena was walking around with a piece of paper with their personal information stuck to their back,” Tysarchik said. “How attractive would that be for a bad actor to break in and start collecting all that data.”
3. Partnerships are key for large-scale events
Los Angeles 2028 Olympic and Paralympic Games CEO Reynolds Huber told the panel that one of the reasons there were no disruptive cyberattacks at the Paris Summer Olympics was due to information sharing between law enforcement and partners. The most notable activity leading up to the Olympics was an influence campaign by Russian threat actors. “Russia was very active in Paris, trying to disrupt,” said Huber, a former Army and National Guard lieutenant general with a background in military intelligence.
The 2028 Los Angeles Olympics are expected to feature 800 sports and attract as many as 15 million spectators, 15,000 athletes and 25,000 broadcasters. Huber said the committee is preparing for a range of threats, “from idiots in their basements doing stupid things to nation-state attackers.”
The LA 2028 Commission is partnering with U.S. government agencies, including the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency and the Federal Communications Commission.
“We can’t do this alone,” Huber said. “It requires public-private cooperation and open, honest information sharing.”
4. New streaming models create new challenges
All major leagues are expanding broadcast rights to streaming providers, bringing in new viewers and new revenue. But an attack that interrupts a broadcast for even a moment could be costly in terms of lost advertising revenue, Tisarchik said. “We have a lot of trust in third-party operational technology and their cyber protection,” he said.
5. Legal sports betting will place emphasis on internal data
And now that sports betting is legal in 38 U.S. states, including Washington, D.C., and Puerto Rico, data theft has become more lucrative than ever for threat actors. Nonpublic information, including health records and other proprietary statistics, is especially valuable. “[That’s]data that people can use to spot trends and see where the betting money is going,” Tysarczyk said.
6. Expanding partnerships require high levels of data protection
Huber said that in a broader ecosystem that shares more and more data, it’s necessary to ensure information isolation, which was a focus for the Paris Games this summer. “This really requires a partnership effort, and in Paris it was an all-hands-on-deck effort to secure the network,” he said. “It’s a closed network, so we’re very concerned about the integrity of the sport, the safety of the athletes, the safety of the spectators. And we need to protect the data, keep it inbound, and make sure the right people are receiving the right data.”
