Where are football’s cybersecurity casuals and hooligans?

Remember casuals and football hooligans? Or what about films like The Firm? Football casuals causing chaos to opposing fans (and others) for various reasons. I’m not saying it’s a problem that the game has eliminated, but where’s the 21st century cybersecurity equivalent?

Cybersecurity – not your usual kind of football hacker

Think about it, there’s tons of reasons for fans to want to hack into opposition clubs, including:

  • membership databases for some clubs will run into the hundreds of thousands (many complete with credit card details)
  • there’s the chance to discover info on what’s really going on at the club
  • learn what players are on or what the club is worth (very valuable intel)
  • bank details of the players
  • or to  just cause embarrassment (imagine if the Rangers FC logo appeared on the Celtic website or similar with Liverpool/Everton)
  • and that’s before you consider someone trying to do a massive pen test or USB stick drop on the day of a game. Any random person could hand out tons of USB sticks and you’d get at least 50% of people plugging them into their own computers – probably more if it was branded with the club’s details, making it look official.

But does it happen? I contacted 30 clubs up and down the UK and asked one simple question around their cybersecurity. None of them would give me any sort of answer – and that’s fair enough because it is a huge potential issue.

What can clubs do to minimise cybersecurity breaches?

There’s a lot clubs – like any business – can do around cybersecurity:

  • train staff not to hold doors open or give out any information on the phone
  • compartmentalise data – don’t have the confidential material accessible on the same network as the stadium guest wifi for example
  • compartmentalise access – certain people can only access certain relevant data. You could even make it that only certain IP addresses could access certain data
  • two factor authentication – don’t just rely on passwords
  • good software and alerting tools – software can help so much, including scanning for suspicious activity
  • ensure staff are happy – disgruntled staff are often the biggest cause of cyber leaks
  • train for it happening – practice what would happen
  • look out for fake websites or man in the middle attacks on match days via stadium wifi
  • have a worst-case scenario full plan – including communications (internal and external) for when it does happen.
  • bring in cybersecurity experts like Chelsea Sievewright, John Whitehill or Colin Slater (slight plug for the day job: PwC in Scotland has one of the Scotland’s largest cybersecurity teams)
  • accept that it will probably happen, so plan for when it happens, not that it will never happen.

Now if you’ll excuse me, my head is full of pun-related football-related songs…