Sports: When rugby meets cybersecurity

On June 22, we learned in the press that the French Rugby Federation (FFR) was suffering a cyberattack and threats of disclosure of information.

This attack confirms this maxim that we sometimes tend to forget: “Everyone can be the target of a cyberattack”. It emerged in 2020, in the midst of the COVID period, when attacks targeted hospitals. Today, it no longer really surprises, because yes, “everyone can be the target of a cyberattack”.

The world of sports is no exception to the rule. The motivations for these attacks remain simple: as with hospitals, hackers target exposed structures, which can potentially earn them a profit. This is the case of the French Rugby Federation (FFR) and the Rugby World Cup. As the event approaches and its media coverage increases, pirates are becoming more and more interested in it. What cyber impact on sporting events? 

Let’s zero in on this growing threat and in the priority projects to counter it.

Sports infrastructures at risk

During a sporting event (amateur or professional), the reception structure has essential assets (video surveillance, access control, giant screens, and advertising banners, technical management of the buildings, etc.) to ensure the smooth running of the event, meeting, supporter safety, and logistics. These solutions interact with the information system of the sports venue and are closely linked to the data of the various service providers and partners.
Cyber attackers can make it a target, aware of the vulnerabilities induced, mainly due to a partial vision of internal teams of the IT ecosystem and a lack of knowledge of cyber threats or best practices to adopt.
For example, a disruption occurring in the access control solution can have significant repercussions on the organization, such as slowing down the process of validating tickets to access the sports venue. This slowdown can in turn generate, in the best-case scenario, impatience but also crowd movements around the stadium, with a direct impact on the physical safety of people.
Other risks are closely linked to strengthening the security of wired and Wi-Fi networks, server infrastructures, workstations, or even the means of connection to the Information Systems of partners and service providers. Added to this is the importance of compartmentalizing the different solutions, securing interconnections with the outside world, and setting up validation processes linked to physical security and access rights within the sports venue.

All these risks require a strong need for security in terms of Availability, Integrity, Confidentiality, and Traceability (DICT). The expected level evolves according to the legislation imposed on sports clubs and/or associations and associated sports complexes: the size of the installation, number of sports practiced, employees, service providers, media exposure, etc.
Of course, during global events such as the Rugby World Cup or the Olympic Games, the selected sports venues are governed by the regulations of national authorities and sports federations. Three main actors are responsible for their application: the event organizer, the administrative centre, and the host city.

With some exceptions, the host communities are responsible for the sports infrastructures made available for the event and for securing the associated Information Systems. Thus, ahead of these events, different actions are recommended by the authorities (carrying out a risk analysis, raising employee awareness, creating a Continuity/Business Resumption Plan, etc.) with the aim of carrying out an inventory of the existing situation and to deduce the projects to be carried out. This step is essential to increase the level of security and cyber maturity of infrastructures.

Multi-faced attackers who target "broadly"

France, a notorious land of sports, hosts multiple sporting events, both collective and individual, throughout the year. Both for regular championships (Ligue 1, Top 14, D1 Starligue, etc.) and for international events (Rolland Garros, Le Tour de France, the Champions League, etc.), all disciplines are included in the competition, get media coverage and are subject to strong cultural, economic, and societal issues.
The necessary exposure of systems on the internet and the interconnections with the information system of the sports complex constitute real “entrance doors” via which cyber attackers can infiltrate and disrupt the event beforehand or on D-Day, thus creating a climate of instability and risks.

These vulnerabilities benefit all types of crime, whether hacktivists, terrorist groups, or even specialized pharmacies, sponsored or not by state organizations. These attackers are interested in the sector with the aim of destabilizing the event, extorting information for profit or even organizing “strike” operations to make themselves known or claim an idea.

Organizers and their partners must increase their level of vigilance due to the increase in these malicious acts. Indeed, in addition to being significantly increasing against sporting events, they no longer impact only the event itself but also the athletes and supporters.
Behind fan fraud lie highly organized cyberattackers. They mainly intervene in the sale of illegal tickets on the black market but can also use the method known as “competitions”. It encourages the player to fill out a contact form, containing personal data, in order to win places to attend the event. In order to counter this type of attack during the Rugby World Cup, the organizer of the event has also set up a secure official resale platform, allowing supporters to resale their tickets. Sports betting and streaming sites are also targeted by cyberattackers.

Finally, in recent years, there have been attacks on athletes themselves. Indeed, the physical and sporting performances of athletes are scrutinized by medical teams who rely on new technologies (scales and connected watches, power sensors, GPS, home trainers, etc.) in order to take measurements, centralize, and thus adapt training plans. A type of data that attackers are fond of, because they can exploit it, resell it to sports competitors, or distribute it to the general public.

Fortunately, sports structures and their management are increasingly aware of the risks linked to cybersecurity. As a result, they now give an important place to securing their Information Systems and improving the level of cyber maturity of their entities.

One of Orange Cyberdefense's missions is to make the various stakeholders aware that cybersecurity is not a sprint but a real marathon.

Our teams bring their expertise in cybersecurity, alongside service providers, to strengthen the overall security and resilience of systems. Here are some examples:

• Carrying out maturity audits and intrusion tests;
• Implementation of business continuity/resumption plans (PCA/PRA);
• The creation or update of business processes;

• The drafting of documents such as an Information Systems Security Policy (PSSI), an Operational Information Systems Policy (POSSI), or even a Security Assurance Plan (PAS);
• The development of a Crisis Management Plan (CMP) and the execution of a cyber crisis simulation exercise.

This need to strengthen the level of cyber maturity is particularly illustrated this year, since ahead of the Rugby World Cup, our teams supported some of the sports complexes hosting the event. Ahead of the competition, the objective was to carry out an inventory of the existing level of security in order to define the procedure to follow and carry out certain actions in collaboration with local teams.

Guillaume Pauls, Cybersecurity Consultant at Orange Cyberdefense , talks about one of these missions: “It is a real privilege to be able to evolve in sporting environments. These are enriching missions, both humanly and professionally. We work in close collaboration with all teams, which allows us to create a relationship based on trust and move forward together towards the same goal.

During our discussions with the business teams, we noted that security and continuity of services within sports venues were very important subjects. All employees are aware of the current risks linked to cyberattacks and the exposure associated with sporting events.

The approach put in place by our teams is clear: support, assess, and raise awareness.

When starting this type of mission, it is first important to make our interlocutors aware of cyber risks but also to reassure them. Then, we work in collaboration with business teams to target essential assets, analyze existing solutions and measures, and identify vulnerabilities present in the Information System. This then allows us to draft an action plan, with the aim of enabling the entity and its service providers/partners to improve their security levels.”

The world of sports is now deeply embedded in the digital age, offering unprecedented opportunities while exposing the sector to complex risks.
The rapid expansion of digital technologies in this world brings a series of geopolitical challenges. Major sporting events, such as the Rugby World Cup, attract global attention and can provide a backdrop for subtle digital conflicts between nations. Threats of potential cyberattacks, aimed at disrupting events or compromising the integrity of certain data, require reinforced international coordination in cybersecurity.

At the same time, human risks cannot be underestimated. Malicious actors target not only sports infrastructure, but also the sensitive data of athletes, fans, and organizers. Unauthorized collection and exploitation of personal data creates vulnerabilities that can be exploited for fraudulent acts. Increased pressures on athletes to perform, not only physically but also numerically, raise concerns about their mental and emotional well-being. Cybersecurity professionals have a prominent role to play in ensuring that the human aspects of this digital revolution are taken into account in protection strategies.

As France prepares to host the 2023 Rugby World Cup, cybersecurity players must be ready to take on these complex challenges.
Advanced technologies that enrich the sporting experience must be accompanied by increased vigilance in digital protection. Sports bodies, government authorities, and cybersecurity stakeholders must proactively collaborate to anticipate threats, put in place robust defenses, and develop agile response plans. It is clear that the issues linked to cybersecurity in sports are essentially identical to those present in any other field. Like a public or private company or a hospital, a sports venue must apply a 360° cyber strategy, focusing its efforts on a governance aspect and on the 5 stages of the threat life cycle: anticipate, identify, protect, detect, and react.

Cybersecurity in sports, particularly in the run-up to the 2023 Rugby World Cup, relies on a delicate balance between innovation and protection. By tackling these challenges with determination and taking into account the geopolitical and human aspects, we can ensure that the passion and unity of sports will not be compromised by digital threats but strengthened by our commitment to preserving the integrity and safety of each major competition.

Author: Guillaume Pauls, Cybersecurity Consultant at Orange Cyberdefense