Global events like the Olympics attract an extraordinary amount of attention. The Tokyo 2020 Olympics had an international audience of around 3.05 billion, roughly 40% of the world's population. Events such as these act as powerful economic drivers, bring about social change, and are often rare moments of solidarity and unity in an increasingly divided world. However, they also present substantial cybersecurity risks.
In 2021, the Olympic Games in Tokyo suffered around 450 million cyberattacks. This number is expected to increase eightfold in Paris later this year. The staggering amount of data inherent in an event such as the Olympics is too good of an opportunity for cybercriminals to pass up. But what can we learn from past incidents? What's driving this concerning rise in attacks targeting sporting events? And how can we protect against them?
The Olympic Games, the FIFA World Cup, and the NBA Championship share one thing in common: They have increasingly become targets for cyberattacks, offering valuable lessons learned.
For example, a series of phishing attacks targeting Olympic officials during the 2020 Tokyo Olympics and the 2022 FIFA World Cup spectators demonstrated the persistent risk of social engineering and the need for ongoing cybersecurity awareness training. While the NBA's systems remained uncompromised during the 2023 breach at one of its external mail service providers, the incident underscored the vulnerability of third-party service providers to cyber threats.
These incidents underscore a crucial truth: the threat landscape for large-scale sporting events is constantly evolving, growing more sophisticated and persistent. The National Cybersecurity Center (NCSC) and Microsoft have both highlighted the increased threat of cyber attacks to global sporting events, which are enabled by a high level of cyber-physical convergence.
Cybercriminals are relentless in their pursuit, seeking to exploit any vulnerabilities for various motives, from financial gain to political disruption. However, past incidents offer a tremendous opportunity for event organizers. By examining tactics and techniques and learning from past incidents, organizers can better protect the integrity, safety, and reputation of these cherished global events. The ultimate goal is to create a secure environment where athletes can compete, and fans can celebrate without the looming fear of cyberattacks overshadowing the spirit of sportsmanship.
Attacks on global sporting events have risen – and are expected to increase further – for several reasons. Perhaps most obviously, cybercriminals have grown more sophisticated, and the evolution of artificial intelligence (AI) tools has, to an extent, democratized cybercrime, allowing even novice hackers to launch relatively sophisticated campaigns.
However, the problem goes deeper than this. The ever-increasing reliance on digital infrastructure for event management, ticketing, broadcasting, and communication has amplified the attack surface. Although Paris Olympic officials have reportedly better secured their digital footprint than other major sporting events, the sheer scale of operations at the games represents an enormous attack surface.
According to Yiannis Exarchos, Olympic Broadcasting Services CEO, "Some 11,000 hours of content are planned for Paris 2024," and bookings for cloud services have increased 279% from Tokyo 2020. Cybercriminals will not miss this extraordinary opportunity. This was made apparent during the UEFA EURO 2024 competition when a DDoS attack disrupted Poland’s opening game live streaming.
Our Application Security Threat Research Team has found that DDoS attacks targeting European travel, sports, entertainment, and gambling sites have increased by 89% from 2023. As demonstrated during the UEFA EURO 2024, DDoS attacks can potentially cause significant disruptions during global sporting events. These attacks can target critical infrastructure and services, leading to widespread issues. They may overwhelm ticket sales websites, authentication systems, broadcasting services, and official event websites, resulting in lost sales, logistical challenges, and frustrated fans.
In addition, the same report highlights that criminals exploit malicious bots for ticket scalping to disrupt the ticketing process, depriving fans and then reselling them at inflated prices. Malicious bots also use techniques like credential stuffing and credential cracking to hijack user accounts on sports websites. Attackers exploit these accounts to purchase tickets, sell fraudulent merchandise, or steal personal information, causing financial damage to the account holders and the event organizers.
In response to these tactics, organizers must adopt a multi-layered, proactive approach to cybersecurity. Identity and Access Management (IAM) will be invaluable for securing critical assets and processes at the Paris 2024 Olympic Games. The Games organizers are establishing a centralized IAM system, requiring MFA for all access points, administering role-based access controls (RBAC), and adhering to the principle of least privilege.
The identity challenge is further exacerbated by the fact that only 22% of spectators are expected to have paper tickets—the rest will have to prove the validity of their digital tickets and identities through digital wallets. Furthermore, events like the Olympic Games rely heavily on gig workers, which presents one more identity problem. Cybersecurity officials must carry out secure onboarding and offboarding processes, run real-time, continuous monitoring and auditing controls, adhere to pre-established data protection best practices, and develop and rehearse a comprehensive incident response plan.
In addition, high-speed encryption (HSE) plays a pivotal role in safeguarding broadcasting services from attacks like DDoS. Low latency and high-capacity data encryption add a layer of security, making it significantly harder for malicious actors to identify and manipulate network traffic. Additionally, high-speed encryption can help mitigate the impact of a DDoS attack by making it more difficult for attackers to overwhelm the network with traffic. While encryption doesn't directly stop a DDoS attack, it acts as a critical deterrent and protective measure, enhancing the resilience of broadcasting services against such threats.
Paris 2024 promises a sporting spectacle open to the masses but faces multiple security risks, from cyberattacks to climate activists and anti-government protesters. Cybersecurity preparation will play a vital role in enjoying a safe and secure Olympic Games!