Not All Fun and Games: Professional Sports Teams are a Lucrative Target for Attackers

Data Classification
Data Protection
5 min read
James Mignacca
CEO
July 26, 2023
Author
James Mignacca
CEO
July 26, 2023
Related Resource
Take Cavelo for a Spin
Screenshot of the Cavelo dashboard
See how our platform can manage your company's digital assets and sensitive data, all through a single pane of glass.
Unstructured Data Sprawl - 4 Ways to Handle Your Data
Spoiler alert: cybersecurity and data privacy compliance audits become simpler when data is properly inventoried and classified.

There’s big money in professional sports—for players, teams, and cyber threat actors. Professional sports organizations handle sensitive data that’s unique to the industry. They store treasure troves of information and highly confidential details, like player personal information, health information, playbooks, and scouting reports.

Sports organizations are a high-value target

Sports organizations also have a deeply loyal fan base that willingly shares personal information for things like team newsletters, raffles, special offers, and club memberships. Just this year, the National Basketball Association (NBA) alerted fans of a data breach that leaked their personal information via a third-party newsletter, and warned of subsequent phishing attacks.

Professional sports teams face unique cybersecurity risks. In addition to data protection and privacy regulatory violations, organizations risk financial losses, fan trust, athlete confidentiality, and competitive advantage if sensitive and highly confidential information is lost or stolen.

Cyber incidents in professional sports

Compromised systems can lead to outages, lost ticket sales, and even cancelled games. A ransomware attack against Manchester United in 2020 halted operations and crippled the organization’s IT systems. Last year, the San Francisco 49ers suffered a ransomware attack that leaked the names and social security numbers of more than 20,000 employees, officials, and fans.

In some cases, sports-related breaches have had geopolitical ties. In 2021 the Swedish government discovered that the Russian military intelligence agency GRU had hacked the Swedish Sports Confederation in 2017 and 2018.

Data sprawl drives data concerns

Like all businesses, professional sports organizations suffer from data sprawl across multiple internal and external cloud-based systems. Data proliferation, as well as unclassified and orphaned data across systems, complicates data protection strategy and increases an organization’s risk of breach.

Common challenges that professional sports teams face include:

  • Instituting data classification for cybersecurity insurance and auditing purposes.
  • Cutting down on data movement both within and between teams to mitigate data loss risk.
  • Managing data sharing and access—some leagues intentionally share data across teams, but knowing where that data lives and who has access to it is difficult.
  • Getting a handle on the mass data volumes that live within an organization’s ticketing software.
  • Gaining visibility across data warehouses and SaaS-based data management solutions.

(Data protection) practice makes perfect

Data protection starts by understanding what an organization’s attack surface looks like. Understanding what assets and systems the organization uses (and the data types they contain) is critical to mapping and managing the organization’s attack surface.

Like all businesses, as sports organizations add new assets, they stretch the business’s overall attack surface, increasing cyber risk and the likelihood of a data leak or security breach. Without visibility into digital assets and sensitive data, the organization increases its risk profile. The specific data an organization has also contributes to liability, so visibility into data types can help professional sports organizations calculate the value of their data, which is frequently sensitive.

Use best-practice cyber playbooks

Instituting a robust security posture starts with embracing best practices and data protection and privacy frameworks. Layered security controls and processes build a data protection strategy and security program that can scale over time to meet and face ongoing and ever-evolving threats.

The NIST data protection and data privacy frameworks and the CIS benchmarks are arguably the industry’s most recognized and universally applied guides. Regardless of what your security tech stack looks like, these frameworks help IT and security teams focus on understanding what data an organization has, which can be achieved and sustained through automated data discovery and classification.  

Achieving and maintaining visibility into organizational assets and classifying them based on data type underpins even the most basic data protection and regulatory compliance initiatives. Here are some examples, in line with best practice pillars:

Data Discovery & Classification

  • Discover and maintain a data inventory by asset, automatically classifying sensitive data.
  • Identify sensitive data types within the data inventory and define relevant data types.
  • Query, report, and drive operational steps and strategy considerations using real data.

Data Protection

  • Align to industry best practices.
  • Customize settings to make it easy for employees to use systems securely (and harder to violate data policies).
  • Understand critical data across all systems with an up-to-date inventory.

Compliance

  • Continuously update data inventories, sensitive data classifications, data access permissions, and data risk posture.
  • Lower the complexity of compliance-based activities by maintaining a 10,000 ft view of the larger data landscape.
  • See the full picture and be able to focus in on specific areas to answer audit questions.

Data Loss Prevention

  • Manage organizational data policies by defining access boundaries for your data.
  • Get alerted if customer or employee data is found in a place it shouldn’t be.
  • Discover, track and define data boundaries to make sure real-time alerts flag when action needs to be taken.

Incident Response

  • Understand where sensitive data lives on the network, how it’s protected, where it’s been used, and who has access to it.
  • Respond faster when an asset goes missing or has been compromised by getting the insights needed for the asset in question, the data it contains, and who accessed it.
  • Leverage real data to make critical and time-sensitive response and remediation decisions.

At a granular level, every asset, whether hardware, software, or cloud-based is as valuable as the data it contains. And every asset a professional sports organization collects and shares stores sensitive structured and unstructured data types that elevate cyber risk, especially so as the information sports organizations possess is often high-value.


Cavelo supports professional sports organizations in managing risk proactively and protecting the data of their players and fans. Book a demo today to learn more about the Cavelo risk management platform.

Share this post

Want to schedule a demo?

We’re confident you’ll love Cavelo. But if we’re not a good fit for your unique business security needs, no hard feelings.