Cybersecurity Within the Sports Industry

Written by: Jamel Favor, Elaina Hagen, Stephens Lucchesi, Eva Salmeron
Photography by: Unsplash

Q: Eva: What are the negative impacts of a data breach on large sports corporations? Are there any examples of a large-scale data breach in recent years? 

A: There are many negative impacts of a data breach that can occur on large sports corporations. For example, it can damage a Team’s reputation, cause major financial loss for venues or even fans, release private medical information of players, or damage a game’s integrity (Ataman, 2013). An additional negative impact can be the release of athlete’s personal data which could lead to not only financial concerns but also safety concerns. 

An example of a large-scale data breach in recent years would be in the 2016 Olympics in Brazil, a Hacktivist group targeted Brazilian Government websites due to being unhappy that the city of Rio was hosting the Olympics that year. It caused the Olympics event to go offline and the group leaked personal, financial and login information. 

One final example occurred on February 12, 2022 when the NFL’s San Francisco 49er’s confirmed a data breach that impacted more than 20,000 individuals following a ransomware attack by a group called “Blackbyte”. They were able to obtain personal information, including social security numbers of fans, business partners, etc. This particular group was known to “sell back” information they steal to their victims as their motivation is monetary value. (Gatlan, 2022).

Q: Elaina: What are the legal ramifications taken against large corporations if a player’s medical information is compromised and released without their consent? 

A: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge (CDC, 2022). A breach is defined under § 164.402 as “The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information”(Federal Register, 2023). If a company’s sensitive data was breached, there is a four tier penalty system depending on the severity or response to the entity’s failure to protect player health information. The tiers are as follows; 

First tier penalties are given when a covered entity did not or could not have known about a breach occurring. These penalties can range from $100-$50,000 per incident (Gsimon, 2021). 

Second tier, through proper diligence, the covered entity either knew or should have known about the breach, yet it is still not considered willful neglect. These penalties can range from $1,000-$50,000 per incident (Gsimon, 2021). 

Third tier is penalties given when a covered entity acted with willful neglect but corrected the breach within 30 days. These penalties range from $10,000- $50,000 per incident (Gsimon, 2021). 

Fourth tier penalties are given for willful neglect without any proper corrections made in a timely fashion after breach. These penalties are at least $50,000 per incident with a maximum of $1.5M (Gsimon, 2021). 

A data breach of this magnitude is an expensive problem to have and individual corporations like the NBA, NFL, MLB, etc. have hundreds of athletes that are susceptible to having their personal medical records released. 

“Breaches affect more than just providers, and it’s important that businesses working closely with sensitive data understand the cost of negligence”(Gsimon, 2021).

Q: Stephens: How can leaked contract information containing player salaries and private negotiations cause an unfair advantage for other teams? 

A: There are different advantages that could be gained by a bad actor that hacks into a team’s systems to access private data. As an example in 2013, St. Louis Cardinals employees were able to hack into the Houston Astros systems, where they were able to see player data that included trade discussions (Greenwald, 2017). By having this kind of player data, the Cardinals would have a trade negotiating advantage with the Astros, that other teams negotiating trades with the Astros would not have. 

A data breach could also have an impact on contract negotiations between a team and a player. For example, if team A is negotiating with a player that is currently on it’s team, and team B wants to try to sign that player, team B could gain an unfair advantage if it were to obtain information regarding contract proposals that the current team (team A) is offering the player. By having this information prior to when the player becomes a free agent, team B could pursue other players if it knew ahead of time that the player would be too expensive when the player became a free agent. If team B did not have the information obtained via a data breach, team B would have to wait until the player finishes contract negotiations with the current team (team A) before deciding to pursue other players. This situation could have easily happened when the Cardinals hacked into the Astros computer systems. 

Q: Jamel: How can sports corporations work to protect sensitive fan and player data from unexpected hacking incidents? 

A: Cybersecurity Within the Sports Industry 4 One of the most frequently abused deficiencies in cybersecurity would be easily guessed passwords. Roughly 89% of password breaches are due to weak password encryption. Despite this information being readily available, most people underestimate the importance of password encryption. With the current iteration of cyber hackers they can utilize intricate password deciphering programs to effortlessly gain access to anyone’s vulnerable account. This type of security breach is called a brute force attack and is one of the many techniques cyber hackers can utilize to illegally obtain information. 

To protect its clients a simple solution would be to enforce an organization wide password encryption policy. This policy would entail organization education on the dangers of data breaches, importance of effective security firewalls, and security socket layers. Security socket layers is a cyber security defense tool that creates a barrier between your information and the web. A secure socket layer ( SSL ) makes it so all information shared between the web and database is password protected. However a SSL is only as good as the password, hence the stressing on importance of password strength. Moreover, the SSL can be further bolstered by a firewall. The web application firewall is designed to scour through the internet and scrubs and analyzes all data being passed through your service data. Once the anomaly is intercepted it seeks to destroy it and notifies the user.

References: 

Ataman, A. (2023). Why cybersecurity in sports is more important than ever in 2023. AIMultiple. Retrieved April 25, 2023, from https://research.aimultiple.com/cybersecurity-in-sports/

Centers for Disease Control and Prevention. (2022, June 27). Health Insurance Portability and accountability act of 1996 (HIPAA). Centers for Disease Control and Prevention. https://www.cdc.gov/phlp/publications/topic/hipaa.html

Federal Register. (2023, April 21). The Federal Register: Code of Federal Regulations. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-1 64.402

Gatlan, S. (2022, September 3). San Francisco 49ers: Blackbyte ransomware gang stole info of 20K people. BleepingComputer. Retrieved April 25, 2023, from https://www.bleepingcomputer.com/news/security/san-francisco-49ers-blackbyte-ransomwa re-gang-stole-info-of-20k-people/ 

Greenwald, M. (2017). Cybersecurity in sports. Questions of Privacy and Ethics. Tufts University Department of Computer Science. Recuperado de http://www. cs. tufts. edu/comp/116/archive/fall2017/mgreenwald.pdf. 

Gsimon. (2021, August 16). What are the Consequences of a Medical Record Breach? American Retrieval Company. https://americanretrieval.com/medical-records-breach/