Dan Weil reports in the Wall Street Journal:
Like other big companies, teams rely on troves of digitized data to make decisions—but they face security issues that most businesses don’t have to worry about. Their players’ medical records are a tempting target for opponents—or gamblers—looking for leverage, while their on-field signs can be stolen with real-time ultrasharp video. Then there is the threat of cybercriminals hijacking a live broadcast for ransom.“Teams and leagues are increasingly driven by technology to assess performance, drive internal operations and engage with fans, as a result, data becomes the target."When it comes to cybercrime, sports teams have some unique vulnerabilities.
Like other big companies, teams rely on troves of digitized data to make decisions—but they face security issues that most businesses don’t have to worry about. Their players’ medical records are a tempting target for opponents—or gamblers—looking for leverage, while their on-field signs can be stolen with real-time ultrasharp video. Then there is the threat of cybercriminals hijacking a live broadcast for ransom.
“Teams and leagues are increasingly driven by technology to assess performance, drive internal operations and engage with fans,” says Alexander Southwell, who deals with sports-cybersecurity issues as a partner at the law firm Gibson Dunn & Crutcher.
As a result, “data becomes the target,” he says.
Major men’s and women’s leagues and several teams didn’t respond to requests for comment. Nor would several experts in the field speak specifically about what teams are doing to protect themselves.
Beyond the individual risks that sports organizations face, there’s an overall challenge that adds to the stakes: Teams must manage the issues under the constant glare of the media and millions of fans.
Here’s a look at some of the potential security issues that teams have to worry about.
Snooping on scouting reports
Deciding who to draft, or trade for, involves a tremendous amount of costly research, looking into everything from a player’s on-field tendencies to his emotional makeup.
With the stakes so high, a team’s data might be a tempting target for opponents looking for insights. One such hack happened several years ago: In 2016, former St. Louis Cardinals scouting director Chris Correa pleaded guilty in federal district court in Houston to breaching the Houston Astros’ email system and scouting database in 2013-14.
Mr. Correa downloaded an Excel file containing a list of every player eligible for that year’s amateur draft and how each Astros scout ranked them. He also viewed Houston’s internal notes on trade talks with other teams, scouting reports on potential draft picks and evaluations of international players.
The St. Louis team had to surrender its top two picks in the 2017 amateur draft to Houston and pay the Astros $2 million in compensation. Mr. Correa was sentenced to 46 months in prison and banned from baseball for life. (Neither the Cardinals nor Mr. Correa responded to requests for comment. At the time, Cardinals officials denied any connection to the hacking, saying they were unaware of it.)
High-tech sign-stealing
Spying on opponents’ on-field signals has a long history in sports, particularly baseball—and it can have a tremendous impact on games. Nowadays, sign-stealing doesn’t have to rely on some of the traditional strategies—like stationing a covert observer in center field, or having players scrutinize pitchers and catchers from the base paths.
For one thing, teams can analyze close-ups and slow-motion replays of a game just by monitoring the broadcast from the clubhouse. Teams are allowed to watch video during games—but they aren’t allowed to use that video to steal signs.
Opponents leveraging in-game video is likely “the greatest area of potential concern for professional sports leagues,” according to Nathaniel Grow and Scott Shackelford, professors at Indiana University’s Kelley Business School, and co-authors of a report on cybersecurity for sports leagues.
A prominent case of sign-stealing came to light in 2020, when Major League Baseball announced that the Astros had tapped into available video feeds to steal opponents’ signs on their way to winning the World Series in 2017.
The Astros faced a lot of public criticism and stiff punishment from MLB for having a video monitor near their dugout showing the center-field camera feed—which let them read the catcher’s signs to the pitcher. The players then banged on a garbage can to indicate what pitch was coming. MLB fined the team $5 million, took away its first- and second-round draft picks for two years, and suspended general manager Jeff Luhnow and manager A.J. Hinch for one season. Both men were then fired by the team.
The MLB investigation found that team owner Jim Crane didn’t know about the sign-stealing. It also found that Mr. Luhnow didn’t know but Mr. Hinch did. Still, MLB held those two men responsible for failures of leadership and culture.
Messrs. Luhnow and Hinch couldn’t be reached, and the Astros didn’t respond to requests for comment. In a statement at the time, Mr. Luhnow adamantly denied any knowledge of the Astros’ sign-stealing. “I am deeply upset that I wasn’t informed of any misconduct because I would have stopped it,” he said. Mr. Hinch, meanwhile, said at the time that “while the evidence consistently showed I didn’t endorse or participate in the sign-stealing practices, I failed to stop them, and I am deeply sorry.” In a statement to the The Wall Street Journal at the time, Mr. Crane said, “I am deeply sorry. I understand that I am ultimately responsible for this team, and I am entirely focused on implementing changes in our organization that will ensure that this never happens again.”
Along with video feeds, there are a number of on-field gadgets that could be targets for hacking: the digital notebooks that many football teams use to draw up their plays, for instance, or the radio system that coaches use to transmit plays to the quarterback, Mr. Shackelford says. In baseball, catchers now use a device, strapped to their wrist, that sends signs to the pitcher and up to three teammates.
Stolen health records
For a typical company, information about the health of midlevel employees and the skills of potential new hires would generally be of little use for a competitor. But in the sports world, exhaustive data about a player’s medical condition could be gold to opponents—giving them leverage in potential trades, for instance, or shining light on how competitors might change their rosters.
Competitors aren’t the only ones who might be interested in those private details. Gamblers might also want to leverage health information—if a player is injured, for instance, the opposing team might seem like a better bet.
While acknowledging the threat, Mr. Southwell doesn’t see gambling being as attractive to bad guys as other forms of attack. There is no guarantee that inside information from a team would provide a winning bet, he notes. And people who are able to penetrate a team or league’s database could use weapons such as ransomware that may gain them a lot more money than a winning bet.
Attacks on broadcasts
Some cybersecurity experts point to one other target that could lure hackers: broadcasts. Games are shown in real time, with millions of dollars in revenue at stake for the broadcasts. Cybercriminals could potentially make a killing by threatening to knock games off the air or actually doing so. What isn’t clear is where financial liability would rest.
The broadcasts are live, so “you have to be protected in real time,” says Candid Wüest, vice president of cyber-protection research at Acronis, which works with sports teams on cybersecurity. “Car makers can stop their production lines if there’s a problem, but here there’s no second chance.”
Compounding the problems is the large infrastructure needed for broadcasts, such as cameras and satellite trucks. Such a sprawling setup means many more potential weak spots. “All that telecommunications is vulnerable to cyberattacks,” says Scott White, director of the cybersecurity program at George Washington University.
Shutdowns of game broadcasts could cause teams and leagues to lose hundreds of millions of dollars, says Dave Kennedy, CEO of information-security firm TrustedSec, which works with teams and leagues on their cybersecurity.
But is it the team’s job to keep broadcasts safe from hackers? The answer depends on the individual contracts between teams and backers. “There they will have addressed who is responsible and what might need to be paid or remedies,” says Mr. Southwell of Gibson Dunn.
Hacking wearables
To get ever more precise information on their players, teams are turning to gadgets that can do a variety of jobs: measuring the impact on a football player’s helmet, or tracking the strain on a pitcher’s elbow ligaments.
Those wearables could potentially be hacked, essentially like hacking a phone or other gadget, Messrs. Grow and Shackelford say, and the information from them used to direct on-field strategy. Competing teams might try to put more pressure on sleep-deprived players or ones with overworked joints.
0 comments:
Post a Comment