As the NFL becomes more connected, unique cybersecurity strategies have been employed to ensure safety for players, personnel, and fans alike.
In 2016, former scouting director of the St. Louis Cardinals Christopher Correa was sentenced to four years in prison for hacking into the Houston Astros’ player-personnel database and email system in order to gain insights into their operations. Just a few months prior, the Milwaukee Bucks played victim to a security breach that saw players’ financial documents released, including Social Security numbers and compensation information. To wrap up the year, a Russian cyber espionage group hacked the World Anti-Doping Agency database and leaked the drug records of Venus and Serena Williams online. While there have been myriad advancements in the gear that ensures players’ physical safety, information security in the sports realm is still developing.
In just the last decade, professional sporting events have become technological hubs with numerous devices connecting to the same networks. While hosting Super Bowl LII, the U.S. Bank Stadium garnered 17 terabytes of Wi-Fi. For comparison, a recent Taylor Swift concert at Sports Authority Field in Denver, CO only allowed 8.1 terabytes. This is a far cry from where sports facilities were just 10 years ago. When Russ Trainor, Senior Vice President of IT at Sports Authority Field, started his position in 2008, he had 350 devices on the network.
Today, that number is closer to 8,000, consisting of scoreboards, iPads, personnel computers, and much more. On top of that, sports teams and facilities have been charged with the responsibility of protecting player and personnel data while ticketing services often hold the information of many fans. With nearly 20 years of experience working in NFL information technology and cybersecurity, Russ Trainor knows his way around the technology behind the Gridiron and shared some of his insights about the merging worlds of sports and cybersecurity.
Securing the Playbook
Where an NFL team is concerned, there are two main focuses: player information, especially as it pertains to medical records, and the playbooks. As Trainor describes it, “For me, it’s medical stuff. All my player records, player contracts … I need to lock them down.” While securing internal records is a relatively straightforward process, things get complicated when you consider how much movement there is in the NFL as players transfer from team to team. In the case of the Denver Broncos, they have their own Electronic Medical Record system, but it’s important to keep those records secure when a player transfers to a different team. Unfortunately, this can be sometimes difficult to navigate. Peter Alexander, CMO of Check Point, one of the world’s leading cybersecurity firms, explained that “medical environments are traditionally very vulnerable environments.”
This is typically caused by the numerous devices connected to the networks as well as the various people who need access to the medical records. Regardless, under the Health Insurance Portability and Accountability Act of 1996 (commonly known as HIPAA), it’s vital that teams protect the information of not only their own players, but the players of visiting teams as well. “People don’t think about that,” explains Trainor. “You have an X-ray machine on staff and you have access for both home and visiting teams, but you can’t share those images. So if an Oakland player messes his knee up, the Broncos can’t look at his knee. But their training staff can go in there, do the X-rays, and take that back with them.”
The other main asset that Trainor focuses on protecting is the playbook. With modern technology, most players are provided with iPads that carry videos and playbooks and other team-specific information. Storing all of this on portable tablets comes with many advantages. “We used to use paper playbooks and once in a while those playbooks would be left on a plane or in a hotel room,” Trainor explained. “But now, if they lose the iPad, number one, we can wipe it right then if they contact us.” Alternatively, their playbook app, PlayerLink, comes equipped with a time bomb, which would delete the videos and playbooks if the iPad doesn’t check in during a period of a few days.
How Cybersecurity Affects Fans
As various apps and social media platforms have been integrated into the fan experience, connectivity in stadiums has grown significantly, making it all the more important to be operating a secure network. At every major game, fans are posting to their Snapchats, Facebooks, Twitters, and Instagrams. Even outside of social media, digital apps have become a key part of the fan experience. “Soccer is a good example,” according to Peter Alexander. “The game is going most of the time. But if someone says, ‘Hey, was that really a penalty?,’ now you can look at the replay from almost any device. And so that generates huge bandwidth requirements.” Not only do the stadiums have to make sure their networks are secure, but they also, at a basic level, need to ensure they have a network capable of handling the bandwidth needs.
At the same time, franchises are often times responsible for ticket holders and collaborating with ticketing services. In light of the Ticketfly hack that occurred earlier this year, which affected around 26 million users, services need to be even more responsible with the information of event attendees. To combat this and protect fan data, the Broncos employ several layers of encryption and security. In the past, they held their Ticketmaster servers onsite, meaning someone would have to physically break into the facility in order to gain access.
However, in order to add extra layers of security, the Bronco’s personnel recently moved the servers offsite to Ticketmaster. In the meantime, Trainor is hesitant to transfer data to the cloud. “I’m nervous about it,” he expressed. “Right now, physically, if the data is on my storage system and my computers are in my building, I have physical control of that. Somebody has to actually come into the firewall, breach that, or they have to come into the building and breach my perimeter’s physical security.”
Detection is Key
Ultimately, though, the most vital part of cybersecurity is detection, because as long as a breach goes unnoticed, nothing can be done to protect against it. Plus, according to Trainor, “After a breach happens, it usually takes three, to four, to five months before they know somebody is in their network.” For this reason, Trainor employed Dell SecureWorks, a system that manages for suspicious computer activity 24/7. It all acts as a reminder that, in the information age, even the most obscure or unlikely of industries can be targets of cyber attacks and need to have constant vigilance to protect both their own employees and their customers.