FIFA caught hook, line and sinker in phishing attack

Football world-governing body FIFA has admitted that its systems suffered a sustained phishing attack earlier this year.

In March, more than 70 million documents and 3.4 terabytes of data were leaked to the weekly German news magazine Der Spiegel by the founder of the Football Leaks platform. In light of these findings, Der Spiegel, in cooperation with 14 other European news organisations, has launched a weekly series disclosing FIFA’s secrets.

The headlines mask the breach

The incident itself hit the headlines as soon as FIFA announced it, but its cause has been less well-explored than the revelations of the ‘dirty deals’ of the football world, and the implication that FIFA’s behaviour hasn’t aligned with the organisation’s claims to transparency, fairness and common values.

Although football holds a special place in many hearts across the globe, the cyber security elements of the situation should not be forgotten in the emotion of the sporting revelations. As a global organisation, and with a considerable workforce and hundreds of affiliated associations, FIFA should have been prepared for – and able to swiftly and effectively respond – to a data breach incident.

It is believed that the breach was caused by an employee falling for a phishing scam. Phishing attacks are increasingly sophisticated, but there are simple steps that can be taken to mitigate the risks. One of the most basic ones is training every employee to look for certain clues, such as mismatched URLs or misleading domain names. Remaining vigilant and cognisant of the risks is also essential at all levels of any organisation.

FIFA’s stance

FIFA said of the attack:

Following a hack in March 2018, FIFA took a number of measures to improve IT security, in order to protect employees, and we are concerned by the fact that some information has been obtained illegally.

FIFA condemns any attempts to compromise the confidentiality, integrity and availability of data in any organisation using unlawful practices.

However, this statement doesn’t reflect the scale of the breach, or provide assurances of the organisation’s cyber security programme. After all, in his announcement to the Associated Press, FIFA President Gianni Infantino said that media outlets had been in touch about leaked information they had received. In other words, FIFA itself had not realised that it had suffered a breach.

Infantino said:

My job entails having discussions, having conversations, exchanging documents, drafts, ideas, whatever, on many, many, many, many, topics. Otherwise you don’t go anywhere.

I mean, if I just have to stay in my room and not speak to anyone and cannot do anything, how can I do my job properly?

While many of us can appreciate his perspective, the fact remains that there are effective tools and systems that organisations can employ to reduce the risks when sharing information, such as encryption, password controls and permissions settings. More automated solutions include machine learning, which analyses patterns and spots anomalies in behaviour that would alert management to potential breaches.

Whatever arises as a result of this breach, FIFA needs to take a good look at its internal processes and systems in order to avoid additional breaches. After all, this is the second time the organisation has suffered a high-profile breach – the first was in 2017 when Russian hacking group Fancy Bears disclosed details of players who had failed drugs tests. To be breached once is unfortunate, but to be breached two times in close succession suggests systemic failures, and is sure to have lingering consequences for the organisation and its reputation.

Assess your risks

Use our breach readiness checklist to identify areas for improvement and understand how you can prepare to act effectively in the event of a breach.