View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 23, 2020updated 24 Jul 2020 10:30am

No Patching, No CISO? Premier League Club Saved by the Bank after Hackers Targeted MD

No patching, no CISO, saved by the bank

By claudia glover

UK sports organisations are at growing risk of cyber attack, according to a report by the National Cyber Security Centre (NCSC) — which revealed that the managing director of a Premier League club had their email hacked during a transfer negotiation, with the club nearly losing £1 million in an incident ultimately blocked by the club’s bank.

Another English Football League (EFL) club suffered a “significant” ransomware attack, which crippled their corporate and security systems, and encrypted almost all the club’s end user devices, resulting in the loss of locally stored data.

“Several servers were also affected, leaving the club unable to use their corporate email. The stadium CCTV and turnstiles were non-operational, which almost resulted in a fixture cancellation. All systems at the stadium were connected to one network (VLAN). This meant that the infection spread across the estate quickly”, the NCSC said.

Intriguingly, the initial vector may have been networked CCTV.

Some 75 percent of those polled meanwhile admitted receiving fraudulent emails, texts and phone calls: despite this, just two percent identified fraud as a threat.

The average cost of an incident is £10,000, some of them costing up to £100,000, the NCSC said. In the Premier League incident, a spear phishing attack lead the MD to a  spoof Microsoft 365 login page, where he passed on his credentials to criminals.

Read This! The Big Interview: Peter Yapp, Schillings Partner & former NCSC Deputy Director: “Boards Need a CISO Who Reports Directly to Them”

The criminals assumed the identity of the MD and communicated with the club at which a player was being eyed for a £1 million transfer, while at the same time creating a false email account pretending to be the European club talking to the MD.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

At this point both clubs were speaking to cyber criminals instead of each other. Fortunately, as the cyber criminals’ account had a fraud marker against it, the bank ultimately refused the payment. Others may not be so lucky/

Vulnerable to “Basic off-the-Shelf” Cyber Threats

While there have been no reported incidents regarding remote systems like CCTV and turnstiles, the report has revealed that up to one third of those polled do not have a patching strategy in place for their industrial control systems, CCTV,
turnstiles, and payment systems.

“Unpatched systems offer a security weakness that attackers can exploit with basic off-the-shelf capabilities” as the NCSC reminds teams.

“It’s important to understand and manage this risk”.

One reason for this lack of security could be that, while almost three quarters of those approached agree that cyber security is a high priority for their organisation, almost none of those polled have a dedicated cybersecurity role, preferring instead to keep it as one responsibility of their broader IT departments.

Ciaran Martin, the NCSC’s outgoing CEO, said: “Sports organisations are reliant on IT and technology to manage their office functions and, increasingly, their security systems at venues. As detailed in this report, cyber attacks can have a wide-range of impacts; from multi-million pound fraud to the loss of sensitive personal data.

“The NCSC is not just here to look after the IT systems of the UK government.

“We are committed to supporting the sports sector and we encourage you all to implement the guidance outlined in this report”.

(These include network segmentation, multi-factor authentication, and technical security controls to improve password management, “like blacklisting common passwords and allowing the use of password managers.”).

Carl Wearn, Head of e-crime at Mimecast said: “No organisation or sector is safe from cyber threats, and that includes the beautiful game.

“Transfer deals are obviously a high-pressure time for many football clubs, with lots of fan pressure to get the deal over the line. This pressure can potentially be really detrimental to cyber-hygiene and lead to own goals. In this instance, the attack appears to be an impersonation attack and this variation is definitely on the rise. Our recent State of Email Security report found that 60% experienced an increase in impersonation since last year. whilst 51% have been impacted by ransomware in the past 12 months. Football clubs spend millions every summer investing in their team’s defence, but it is time they started investing in their cyber-defence.

“Not investing in their organisation’s cyber awareness will leave cyber-criminals with an absolute tap in, that even a Sunday-league striker couldn’t miss.

“In a related trend, mergers and acquisitions are being utilised as a theme in BEC emails and employees should be wary of any communications related to “sensitive projects” which may well be seeking to deter you from undertaking adequate steps to verify the authenticity of it. Taking just a few seconds longer to fully consider any important requests could well prevent a significant loss, sometimes in the millions.”

Don’t Leave Before You’ve Read This: DMs Raided in Twitter Hack that Saw Bill Gates, Elon Musk, Barack Obama’s Accounts Accessed

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.