Whilst the news that Manchester United had been hit by a “sophisticated operation by organized cyber criminals” was widely reported on Saturday, little detail has emerged since. In particular, there has been no update to the club’s original statement that “We are not currently aware of any breach of personal data associated with our fans or customers”. Interestingly though, the club had clearly identified the risk of cyber attacks in its last Annual Report:
Though we seek to protect ourselves by putting processes in place that are designed to prevent such attack and regularly monitor alerts and updates from leading cyber security vendors and trusted authorities, our IT systems and other third-party systems utilized in our operations may still be vulnerable to external or internal security breaches, acts of vandalism, computer viruses or other forms of cyber-attack.
More broadly, a survey earlier in the year by the UK’s National Cyber Security Centre found that 70% of sports organisations had experienced at least one cyber incident or data breach in the last 12 months. Indeed 30% of sports organisations had encountered at least five in the last year! By far the most common method of attack experienced was “fraudulent emails, text messages or phone calls”.
The report touches briefly on the steps that sports organisations are taking to mitigate the threat; concluding that cyber risk management was primarily defensive, focusing on compliance with GDPR. This agrees with our own findings from analysis of Cyber Essentials, which found that only a handful of sporting organisations had achieved certification.