Hacking as a Competitive Sport, In Sports

Mike Patterson’s blog was recently featured on the RSA Conference featured here. Below are his full thoughts.

Recently we witnessed a rookie’s debut into the world of the breached–the MLB’s Houston Astros. With St. Louis Cardinals management now acknowledging its role in the attack to obtain operational information, it is a fascinating development for a number of reasons. Millions of credit cards stolen from a retailer? Been there, done that. Data on professional sports teams being illegally accessed? Way more interesting.

The Cardinals’ digital debacle is a serious reputational threat to a proud and classy franchise. Without blaming the victim, there are also questions that Astros management must ask themselves about the quality of their cyber-security posture, to say nothing of Astros season ticket holders who must be wondering whether their contact and credit card information is safe going forward.

However, there is a lot more at stake than what amounts to corporate espionage between two baseball clubs. This case shines a spotlight on the digital trophies each professional sports team has, not to mention the leagues, individual athletes, unions, sports agencies and sporting goods companies that make up our collective sports landscape. They all possess incredibly valuable information that represents an absolute gold mine for those with less than honorable motives.

To illustrate, let’s take a look at some information available within individual franchises, the groups that would want it, how it could be used and what teams can do to start mitigating their risk of a breach.

Player Health, Rosters
Why would a rival team care about the health of players on the team? It would be useful to set player rosters. Do Chicago Bulls team doctors and staff believe Derrick Rose is returning in four weeks or three months from his latest injury? Will Joakim Noah play tonight or rest until the playoffs? The health of a player can also influence negotiations if the player will be entering free agency at the end of the season.

Related to player health, rival teams can also plan accordingly if they know what kind of decisions are being made regarding the rotation and roster. Linking back to the talk of regency, teams want to know who has signed, and who may be willing to look at other other offers. Will Coach Steve Kerr change the Warriors’ lineup during the NBA Finals? How much will the Blackhawks offer their restricted free agents as they rebuild after the Stanley Cup? Is there a danger of key players holding out and missing games before NFL week 1?

This would include player evaluations, as well. What did the Buccaneers’ pre-draft investigation into Jameis Winston determine? Who are the Lakers coveting in the upcoming NBA Draft?

Logistics, Finances, Reputation
Teams may not want to publicize their travel schedules and may not be interested in leaking when they will be arriving or where they are staying. Or want their balance sheets and financial statements to be visible by external parties.

There are other areas which can be compromised. Does the team have an apparel shop or accept credit card payments of any kind? That is a point of entry for attackers. Or information about celebrity season ticket holders. And the last thing a team wants is to have its website or systems hacked or defaced during the week of the Super Bowl.

Team Plans
Does a team have real ambitions to move to another city or build a new stadium? What are the plans for team logo and jersey re-designs? For teams that use “minders” to keep players out of trouble, what close calls or transgressions have they witnessed or quietly fixed? How protected is the personal information, prescriptions, bank numbers, etc. of famous multi-millionaire athletes?

Is a team’s playbook accessible on their network? How about designs and specs for a team’s new IndyCar?

Interested Parties and Motives
So we know what can be stolen. Let’s look at who wants to steal it. Gamblers, or specifically, an unscrupulous gambler or syndicate capable of fixing games or breaking the rules for an edge. Knowing which players will be out, returning early, or playing hurt is valuable insider information that can drastically improve a gambler’s odds. How many ways could one profit from knowing this information before the sports books do? (Or perhaps being the only ones to know?)

Rivals can stoop low to get a scoop on the competition. What could competitors do if they knew whom you value most and who’s going to need a moving van soon? They could easily gain the upper hand in trade talks, drafts and contract negotiations during free agency, not to mention the damage they could do on game or race day. It’s the 21st century equivalent of stealing signs.

The criminals tend to dominate the conversation. Beyond the betting dens, cyber-thieves tend to gravitate toward financial and credit card data, wherever it lives. As a bonus, season ticket holders tend to have disproportionately higher income than a random sampling of customers from general retail stores.

And then there are insiders. Soon to be ex-employees are absolutely capable of taking valuable information with them on the way out the door — from playbooks to scouting reports. Because of the recycling-like nature of sports employment, this usually means they are taking it to a competing club.

Don’t rule out the fans. They may not be as harmless, as fan motivation can range from pure curiosity (finding out when a star player will return or where players are staying on the road) to malicious (hack the website or steal sensitive information from their team’s rival).

What to Do
The first step is data mapping. Conduct a top-to-bottom evaluation of your team’s critical information / assets and where it lives in your organization. What are your diamonds and where are they kept? How can what I have be used against me and result in on-field or off-field losses?

Conduct a cyber risk assessment to emulate hacker attack paths and identify areas of risk to the franchise. This should include an evaluation of both technical and non-technical areas (i.e. firewall vulnerabilities vs. email phishing susceptibility) and suggested areas for remediation.

Invest in proper tools and monitoring, such as a 24 x 7 security monitoring and incident response services, along with intrusion detection, intrusion prevention, log storage / monitoring and network anomaly detection capabilities on the tools side.

Also, team management would do well to retain a crisis PR firm — now — that can help them prepare for, and if necessary, manage through a cyber-security incident. Think of it as pre-season training for franchises that care about their brand, which presumably means all of them. The key for any team is to find a PR agency that is dually competent in the cyber-security space to handle the full range of issues a team can face in today’s world.

Mike Patterson is VP, Strategy with Rook Security, a global IT security solutions provider.