Manchester United Football Club has won plaudits from the cyber security community for a quick and transparent response to a cyber attack on its systems which took place on Friday 20 November.
Manchester United described the attack as a “sophisticated operation by organised cyber criminals”.
It said in a statement: “The club has taken swift actions to contain the attack and is currently working with expert advisors to investigate the incident and minimise the ongoing IT disruption. The club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.”
The club’s media channels, including its website and mobile app, were not affected, and nor is it currently aware of any breach of fan data it may hold. Its critical systems remained operational, and its home game on Saturday 21 November – against West Bromwich Albion, which it won 1-0 – went ahead normally.
Stuart Reed, UK director at Orange Cyberdefense, said: “Large sports organisations are a prime target for cyber criminals. Earlier this year the National Cyber Security Centre [NCSC] urged the sector to tighten its cyber security after it revealed that at least 70% of institutions suffer a cyber incident every 12 months – more than double the average for UK businesses.
“All data has value to cyber criminals, and in a business as lucrative as Premier League football it is not surprising that the activity of wealthy clubs has piqued the interest of cyber criminals.
“Unsurprisingly, Manchester United has stated that the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality. However, it is impossible to cover yourself against all threats in cyber space, and that’s why a layered approach covering people, process and technology is essential to help minimise the risks,” said Reed.
Sam Curry, chief security officer at Cybereason, added: “Kudos to the cyber security experts at Manchester United Football Club for their quick and decisive response to a reportedly sophisticated cyber attack on their network.”
“All companies and organisations in the public and private sector should heed this warning; you will be attacked and suffer material loss from well-funded hacking groups or motivated individuals looking to profit or make political statements off your brand by stealing data, encrypting your files and demanding ransom and causing your company to be singled out in the headlines.”
Quick response
Jon Niccolls, EMEA & APAC incident response lead at Check Point said: “The club responded very quickly to shut down the attack, and to communicate with its key stakeholders and the Information Commissioners Office [ICO]. It’s an excellent example of how to implement a detailed incident response plan.”
Even so, details of the exact nature of the attack on Manchester United are currently unknown, although Niccolls noted that given its statement disclosed that its IT teams shut down affected systems to contain the damage and protect its data, this would strongly suggest a ransomware incident has taken place, and possibly a more dangerous double extortion attack – these have become well documented in 2020.
“Organisations such as football clubs are a prime target as their systems hold the details of hundreds of thousands of people including fans, employees, players as well as sensitive business and payment data,” said Niccolls.
“We would urge all organisations to follow the club’s example and build a strong defence that combines technology and processes: solutions that can prevent these attacks and prevent data leaks, and training for employees about the risks of phishing emails, as this is how many ransomware attacks are launched.”
Cybereason’s Curry added: “There are steps companies can take as defenders to reverse the adversary advantage and to start making cyber crime less profitable.
“First, companies need to improve their security hygiene and they need all employees adhere to internal security guidelines and protocols. Second, companies need to deploy around the clock threat hunting capabilities. They also need to deploy newer anti-ransomware software and advanced detection and response software (XDR) in order to be able to detect in real time when malicious behaviour is occurring inside their network.”