The Manchester United football club in the U.K. has confirmed that the team fell victim to a cyberattack on its systems.
Man U., one of the most popular soccer teams in the world, said that it was suffering ongoing IT disruptions. “The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption,” it said in a short statement issued Friday night. “The club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber-defenses identified the attack and shut down affected systems to contain the damage and protect data.”
The team said only that the attack was a “sophisticated operation by organized cybercriminals,” but other details are scant on what it involved – be it ransomware or anything else. The soccer juggernaut did say that personal data associated with fans or customers was not breached.
It also said that its public-facing systems – the club’s website, mobile app and social-media channels – are unaffected, and that no interruption of play is expected.
“All critical systems required for matches to take place at Old Trafford remain secure and operational,” according to the club. Saturday’s match against West Bromwich Albion went on as planned.
“The cyberattack on Manchester United is alarming but will certainly not be the last of its kind,” said Daniel Norman, senior solutions analyst at the Information Security Forum. “Many hackers see cyberattacks as a game, with organizations being the target. The pedigree for this attack does not get more famous than one of the biggest names in sports. It is no surprise that this giant of the sporting world has been targeted.”
According to Man U.’s statement, its cyber -defense architecture kicked in, allowing it to take an orchestrated action, Dirk Schrader, global vice president at New Net Technologies (NNT), told Threatpost. “From what is known so far, it seems like a swift, coordinated response,” he said. “They detected an incident, they had procedures developed for such type of incident — which not only covered technical measures, but also internal and external communications and the call to experts to get involved.”
Man U. is not the first professional soccer team to be targeted by cyberattackers. In February, another globally popular club, F.C. Barcelona, fell victim to an apparent credential-stuffing attack.
Just ahead of its Champion’s League Round of 16 appearance, the official Twitter account for “Barca” (as the Spanish powerhouse is affectionately known) was taken over. Bogus tweets were sent out in apparent support of bringing Brazilian star Neymar Jr. back to the club’s roster.
The hacking collective known as OurMine took credit for the attack, hot on the heels of taking over official Twitter accounts for 15 different NFL teams in January. The attack also marked the second time that OurMine took aim the Spanish team; in 2017 the gang attacked its Twitter and Facebook pages.
In July 2018, attackers were able to access the IT networks of one of Man U.’s top rivals, Liverpool F.C., harvesting personal information for the club’s season-ticket holders.
“Sports teams, first and foremost, are businesses — with networks, channels, technologies and most importantly, vulnerabilities,” Norman said. “Elite soccer teams are arguably some of the ripest targets for cyberattackers, with significant sums of money flowing through their books across geographical boundaries, with different teams working around the clock in sales, marketing, branding, healthcare and management. Moreover, a soccer team’s supply chain is extensive and diversified – the volume of customer data shared on match days, on club websites, fan forums, sponsor sites and elsewhere provides attackers with a number of technical and potential human vulnerabilities that can be exposed.”
For too long, sports teams have focused too closely on assuring the financial risk of the business, when disruption can come from any number of avenues, Norman said: “With a global presence comes a global suite of vulnerabilities that may be exposed. Elite sports teams should take note of this attack and act to protect their critical technical and information assets.”
It’s not just the clubs themselves but also fans that are in cyberattack crosshairs. In June, just as the English Premier League was getting ready to return to the pitch after a hiatus for COVID-19, the U.K.’s National Cyber Security Centre (NCSC) issued a warning on phishing, fraud and brute-forcing attempts by attackers looking to break into fan accounts. The assessment, it said at the time, was based on precedent: The NCSC has also observed escalating cyberattacks on television streaming subscriptions as more and more people quarantine at home during the COVID-19 pandemic.
“As well as illegally watching the game the victim has paid for, the hackers could make unauthorized purchases on the platform or look to find personal information that could be used for further scams – including targeting them with scam emails or phone calls,” the organization warned.