Cyber criminals tried to sabotage Premier League transfer

National Cyber Security Centre report urges UK sports to ramp up cyber security

Cyber security is a major concern for UK sports, according to the National Cyber Security Centre. Reuters
Powered by automated translation

The managing director of an English Premier League club nearly handed over £1m to criminals who hacked his email before a transfer deal, UK cyber security experts said on Thursday.

The executive was tricked into handing over his email and password allowing the criminals to monitor a transfer deal worth nearly £1m (Dh4.67m) with a European club, according to a report by the UK’s National Cyber Security Centre (NCSC).

Unidentified criminals used faked emails and identities to pretend to be representatives of the selling club and sent the managing director details of a bank account that they controlled. The crime was only foiled after the bank blocked the payment, according to the report, Cyber Threat to Sports Organisations. The clubs were not identified.

The cybercrime gang involved in the plot is understood to be unconnected to a plot revealed in US court papers this month to target a club from the 20-team English Premier League in a £100 million fraud.

Instagram celebrity Ramon Abbas, better known as Hushpuppi, was arrested last month in Dubai and sent to the US where he is accused of involvement in the attempted football club fraud and a string of other targeted cyber-attacks on businesses. It was not clear if the fraud on the club was successful.

The report also revealed that an English football league club was targeted by cybercriminals who demanded about Dh14 million in bitcoin or face their computer systems being wiped.

The unidentified club declined to pay and the loss of data resulted in CCTV stopping working and turnstiles being blocked which nearly forced the cancellation of a fixture.

Other incidents included the hacking of an email address at a body that held athlete performance data which led to 10,000 emails being sent to an outside address and the theft of sensitive data of 100 people.

The NCSC said that sports were a high-value target for criminals with at least 70 per cent of major sports organisations suffering a cyber incident every 12 months, double the average for UK businesses.

The attacks have mainly been by criminals but states have also been behind a small number using similar tactics, the report said.

It highlighted attacks by Russian Military Intelligence against the World Anti-Doping Agency in August 2016 and the leak of sensitive information. The attack followed the banning of Russian athletes for the country’s doping programme.

The 2018 Winter Olympics in Pyeongchang, South Korea, was also hit by cyber-attacks in an attempt to disrupt the Games. US intelligence officials have reportedly blamed Russia for the attack while trying to make it appear as if North Korea was responsible.

Sports are believed particularly vulnerable to corruption following the global disruption caused by the coronavirus pandemic.

“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, director of operations at NCSC.

The NCSC found that approximately 30 per cent of incidents caused direct financial damage, averaging £10,000 each time; the biggest single loss was more than £4 million. Approximately 40 per cent of attacks on sports organisations involved malware. A quarter of these involved ransomware, according to the report.