Sports industry cybersecurity pros talk shop

Every industry is susceptible to hacking, and US sports are no exception. The industry pulls in tens of billions of dollars a year and has an audience of millions across the major franchises, making it an appealing target for threat actors.

At the RSA 2023 conference in April, security heads from the NFL, NHL, and NBA came together to discuss how they manage the threats to fans and players. During the panel, moderated by FBI Cyber Division Section Chief Joseph Szczerba, the cybersecurity experts discussed their biggest challenges.

Sporting-event cybersecurity is a priority from entrance to egress, NFL CISO Tomás Maldonado said. Maldonado explained that his job starts when people buy tickets online. Any cyber event that could affect the consumer from that moment until they get home from the game is on his radar. It’s a matter of scale.

“Normally, you probably went to the venue and came back and you were happy or sad depending upon what the outcome was—you weren’t thinking about anything digitally impacting your experience,” Maldonado said. “And that’s because we were able to do our job and connect the dots for you to be able to have that experience.”

That doesn’t mean things are easy. In 2016, Russian hackers, seemingly angry over the country’s exclusion from the Olympics, released information on US and other athletes competing at the games. The San Francisco 49ers were the target of a ransomware attack in February 2022, and 10 months later, during the World Cup, hackers took down FuboTV during the airing of the semifinal match between France and Morocco.

One of the biggest problems of managing cybersecurity threats during sporting events, NHL CISO Dave Munroe said, is the number of “high-profile individuals” in the arena at any one time. This includes players and celebrity fans, all of whom would be juicy targets for threat actors—but the threat surface includes everyone else, too.

“We have to really protect all of those people, even someone who’s doing payroll, or someone who’s in HR—they’re all part of the brand, they’re all an extension of the brand,” Munroe said. “And we have to protect them as such.”

Finals make things even wilder, said NBA CISO Steve Grossman, but protection comes in part from teamwork. The back and forth collaboration between leagues helps them all to manage the unique industry challenges that come from the world of professional sports. Working together in concert with the FBI makes that process smoother.

“We make sure that we’re reaching out to the field office, we make sure that we are engaging with CISA,” Grossman said, and “ that everybody, from an all-hands-on-deck perspective, has visibility into really what’s going on in a city where we’re hosting a tier-one type of event.”