FIFA has joined the ranks of the many high-profile organisations to fall victim to hackers as football’s governing body confirmed that its computer systems were hacked this March. This is the second time this year that a FIFA hack has occurred.
It is thought that the hack occurred after phishing attempts, in which UEFA officials were duped into revealing their login details.
According to the New York Times, a consortium of European media organisations plans to publish stories based on the internal documents later this week. It is not yet known what information has been compromised in the most recent FIFA hack, but the organisation is bracing itself for the possible release of private data.
Earlier this month, The US Department of Justice and the FBI revealed that FIFA was one of the organisations targeted by Russian intelligence in 2017, in which data on failed drug tests was leaked.
In a statement, football’s international governing body said:
“Following a hack in March 2018, FIFA took a number of measures to improve IT security, in order to protect employees. It’s an ongoing issue, which FIFA has to face just like countless organisations around the world who are all dealing with data security challenges.”
The governing body also said that it condemned “any attempt to compromise the confidentiality, integrity and availability of data”.
What could have been done to stop the FIFA hack?
Phishing attacks are a serious problem, and are still the most commonly used attack on organisations, occurring more often than malware and spyware. According to FireEye one in every hundred emails is an attempt at a malicious attack, putting employees at risk on a daily basis.
Employees frequently fall for attempts by third parties to obtain login credentials to gain access to a computer system using fraudulent emails, presenting a serious problem for many organisations.
Their regularity is a clear sign that cyber vigilance and awareness is vital to minimising exposure to attack. Three cyber security experts give their advice to the company, or others, looking to minimise the risk of phishing
Tim Sadler, co-founder and CEO at software company Tessian believes it is important for employees to receive training to help them spot potential attacks:
“To minimise the risk of falling victim to this phishing attack – and any other kind of phishing scam – it is important that FIFA’s employees are sceptical and vigilant. In other words, they should expect to be targeted by fraudsters and respond by treating any request for information or payment in their inbox as suspicious, particularly in the aftermath of this breach. It is also important that staff are trained on the characteristics of a phishing scam, how they operate and how they can financially and reputationally impact their organisation.”
The State of Technology This Week
He believes that the FIFA hack could have been prevented by technological solutions:
“However, as FIFA have been hacked twice this year, and strong-form impersonation phishing scams are on the rise and proving increasingly effective, vigilance alone is not enough. The best defence against the rise of phishing, particularly in large organisations with thousands of vulnerable employees like FIFA, is a machine intelligent solution that automatically and comprehensively prevents attacks by analysing the context and content of inbound email. Only then can FIFA’s email networks be absolutely watertight and safe from the threat of phishing.”
Could more FIFA hacks be ahead?
Ross Rustici, senior director of intelligence services at cyber security company Cybereason warns that this may not be the last FIFA hack to make its way into the media:
“This is not the first, nor is it likely the last time we will be discussing a breach of FIFA systems. Its global prominence and history of scandal make it an enticing target for hackers. Known hacks against their networks range from hacktivists to Russian nation state actors. This latest incident is a reminder that cyber security must be front and centre of any risk planning. Given the nature of the incident thus far, it appears the primary goal is to embarrass FIFA by leaking information directly to journalists which would be an evolution in how the groups in the past have dealt with the data they stole.
“Both Football Leaks and the Russian government have traditionally chosen to publicly release the information to ensure that embargoes and balanced reporting don’t undermine the salacious nature of the information being presented. With the outcome of the bidding for the 2018, 2022, and 2026 World Cups being as contentious as they were, I’m sure football fans across the world will have some interesting gossip to read if the leaks become public. However, at the end of the day, that is likely all this hack is.”
Tim Callan, Senior Fellow at Comodo CA, the world’s largest certificate authority, believes that a practical solution is for companies to obtain Extended Validation certificates:
“The FIFA data breach illustrates that criminals still can gain results from older, proven attack vectors. In this case, a phishing attack, which has existed in the same basic form for more than twenty years, appears to be the root cause of the lost login credentials. Steps businesses can take to protect users from falling for this kind of online scam, include obtaining an Extended Validation (EV) certificate, and it continues to be as important as ever that they take every precaution they can.”