It’s not often that football and cybersecurity are mentioned in the same sentence. But with endless streams of data being collected by teams to inform their strategies both on and off the pitch, a cybersecurity incident could be catastrophic. The question is: who is top of the football cybersecurity league?

New York-based IT firm SecurityScorecard, which uses AI to rate the cyber hygiene of any company in the world, turned its rating platform towards the footballing world and ranked the teams in order of their cybersecurity posture.

And it found that Brighton & Hove Albion FC has the best defence in the Premier League – at least when it comes to fending off cyberattacks.

While Chelsea currently sits 4th in the league, it does not fare well for its cybersecurity and sits bottom of the rankings.

SecurityScorecard also analysed the cyber hygiene of Germany’s Bundesliga and Spain’s La Liga. And among all three leagues, a similar pattern emerged: the higher the club sits in the league, the worse their cybersecurity posture tends to be.

Southampton FC, for example, languishes near the bottom of the Premier League table but has the third best cybersecurity (league standings accurate as of 1st December 2018).

In the Bundesliga, Borussia Dortmund sits top of the footballing league but bottom for its cybersecurity. The same is also true of La Liga’s Sevilla FC.

Why does it matter if a football team has strong cybersecurity?

A few decades ago, it wouldn’t have mattered very much. But today, football teams have increasingly large digital footprints.

“We have so much more data about players,” says Matthew McKenna, VP EMEA at SecurityScorecard and the man behind the research. “Every match is being filmed, all training games are being filmed, all match day games are being filmed.

“We have blood test data, we have fitness level data. There’s just so much critical data now about these players that is at risk of exposure.”

Arsenal, for example, collects around 8 terabytes of data a year from training sessions alone.

Then there’s customer data, such as phone numbers, addresses and payment details. For some of the biggest teams, those databases can contain hundreds of thousands of people.

3 Things That Will Change the World Today

And with Manchester City’s turnover surpassing half a billion pounds, the 4% fine threatened by GDPR could prove very costly to a team suffering a data breach.

Some of the bigger clubs, such as Manchester United, Arsenal and Juventus are publicly listed companies. A hack like the one on Real Madrid’s Twitter page, which claimed Lionel Messi was headed to Madrid, can send shockwaves through a club’s share price.

Then there’s scouting information and email correspondence, which are both at risk to hacks, that could scupper a multi-million-pound transfer deal.

“There’s a lot of money at stake here for the protection of this data,” says McKenna, who played semi-professional football in both Germany and Finland in the 90s.

To rank the football clubs, SecurityScorecard looked at ten criteria. These include network security, DNS health, application security, patching bands, IT reputation, exposed administrator domains, leaked credentials, social engineering and hacker chatter.

football cybersecurity

It took all of these factors into account and compared football teams in the English Premier League, German Bundesliga and Spanish La Liga.

Here’s how they stack up:

(All standings accurate as of 01/12/18)

Premier League

Position Premier League Standings Cyber standings
1 Manchester City Brighton & Hove Albion
2 Liverpool FC Wolverhampton
3 Tottenham Hotspur Southampton FC
4 Chelsea FC Huddersfield Town
5 Arsenal Burnley
6 Everton FC Crystal Palace
7 Manchester United Newcastle United FC
8 Leicester City Liverpool FC
9 AFC Bournemouth Leicester City
10 Watford FC Manchester City
11 Brighton & Hove Albion West Ham United FC
12 Wolverhampton Cardiff City FC
13 West Ham United FC AFC Bournemouth
14 Crystal Palace Tottenham Hotspur
15 Newcastle United FC Manchester United
16 Cardiff City FC Arsenal
17 Huddersfield Town Everton FC
18 Southampton FC Fulham FC
19 Burnley FC Watford FC
20 Fulham FC Chelsea FC


La Liga

Position La Liga Standings Cyber standings
1 Sevilla FC Villarreal CF
2 FC Barcelona RCD Dspanyol
3 Athletico Madrid Girona FC
4 Deportivo Alaves SD Huesca
5 Real Madrid Celta Vigo
6 RCD Dyspanyol SD Eibar
7 Getafe CF Gerafe CF
8 Girona FC Real Valladolid
9 Real Sociedad Deportivo Alaves
10 Real Betis Rayo Vallencano
11 Levante UD CD Leganes
12 SD Eibar Real Madrid
13 Celta Vigo Levante UD
14 Valencia CF FC Barcelona
15 Real Valladolid Valencia CF
16 CD Leganes Real Sociedad
17 Villarreal CF Real Betis
18 Athletic Bilbao Athletico Madrid
19 Rayo Vallencano Athletic Bilbao
20 SD Huesca Sevilla FC

Bundesliga

Position Bundesliga Standings Cyber standings
1 Borussia Dortmund Werder Bremen
2 Borussia Monchengladbach VFL Wolfsburg
3 FC Bayern Munich Schalke 04
4 Eintracht Frankfurt Fortuna Dusseldorf
5 RB Leipzig RB Leipzig
6 200px9 Hoffenheim Mainz05
7 Hertha BSC Berlin Hannover96
8 Werder Bremen Borussia Monchengladbach
9 Mainz05 FC Augsburg
10 VFL Wolfsburg FC Bayern Munich
11 Schalke 04 Hertha BSC Berlin
12 Bayern Leverkusen SC Freiburg
13 SC Freiburg Bayern Leverkusen
14 FC Augsburg VFB Stuttgart
15 VFB Stuttgart Eintracht Frankfurt
16 FC Nurenburg 200px9 Hoffenheim
17 Hannover96 FC Nurenburg
18 Fortuna Dusseldorf Borussia Dortmund

Why do bigger clubs tend to fair worse in football cybersecurity rankings?

The findings show that overall, the three football leagues are doing “reasonably okay” when compared to all businesses.

football cybersecurity

“The concern is with those top teams that have the largest digital footprints out there, that are multi-million dollar a year businesses that probably need to take that little bit more focus on the cyber risk posture because they also have more to lose,” says McKenna.

“They’re the ones taking the majority of the television revenues, the commercial revenues, the media revenues. If I have more to lose, maybe I should consider investing more to protect that.”

But why do the larger teams tend to sit towards the bottom of the football cybersecurity rankings, despite their IT budgets being bigger in outright terms?

One explanation is their larger digital footprints.

“They’re internationalising heavily to build out their brand and as a result they’re also expanding their digital footprint at a global level and they’re leveraging more digitalisation tools as well as they go forward.

“So they have a lot more digital assets and ground to cover and more complexity to the coverage. And with that exposure, maybe they don’t have the same level of cyber maturity that traditional businesses have.”

Another reason is that bigger clubs are more likely to be targetted.

“Some companies with excellent cybersecurity ratings still get breached, because they’re being targetted,” says McKenna. “And some companies with extremely poor cybersecurity ratings will not get breached, because they’re not being targetted. So it’s there to give us a general indication of cyber health.”

Worryingly, regulatory compliance was severely lacking across all three leagues, with both the Bundesliga and La Liga scoring 0% for GDPR compliance.

football cybersecurity

“Cybersecurity is probably not an extremely day-to-day topic inside professional football teams,” says McKenna.

“They’re worried about winning the next game, what players they’re going to recruit, merchandising, these types of things.

“Cybersecurity is probably not up in their top five, but at the same time, when you start thinking of things like GDPR fines and things like that, it’s potentially a significant amount of money that can impact their business if they don’t take care of the issues from a cyber perspective.”

Read more: Technology in tennis: How data is serving up new insights