author photo
By Bruce Sussman
Thu | Apr 23, 2020 | 12:52 PM PDT

Passions run high in sports, and sometimes things get chippy. It could be about a blown play, bad officiating, or anything perceived as unfair.

But sports leaders going off about cybersecurity? 

It just happened in the NFL. So let's take a look at the instant replay.

NFL cybersecurity smack talk and push back

The topic of the NFL's cybersecurity practices surfaced last week, courtesy of Baltimore Ravens' Head Coach John Harbaugh.

Harbaugh is the type of coach known for being secretive and always covering his mouth when calling plays, in case the competing team is watching on TV or through binoculars at the stadium.

As SecureWorld reported, Harbaugh expressed concerns about the NFL's first-ever virtual draft, happening April 23-25 through Zoom, Microsoft Teams, and live video feeds hosted through Amazon Web Services.

Apparently, Harbaugh is worried about another team silently Zoom-bombing his organization's draft strategy discussions. The league approved the use of Zoom for inter-team discussions.

"They assure me we are doing everything humanly possible, and I remind them that's what Wells Fargo and all those other places said about our private information, so I have some real concerns," Harbaugh told Reuters. "I really wouldn't want the opposing coaches to have our playbook or our draft meetings. That would be preferable."

But some at the National Football League are clearly frustrated by the  concerns expressed by the NFL coach. Listen to this response:

"Coach Harbaugh, no one is going to hack into your system. Stop it." 

That's the message from Troy Vincent, the NFL's Executive Vice President of Football Operations, according to ESPN.

Cybercriminals who hear a promise like that will see it as in invitation to poke and prod, looking for a weak link in the NFL virtual draft operation.

What kind of cybersecurity risk exists in the NFL virtual draft?

What is at stake here? What if someone hacked the NFL's draft this year and got inside information?

Hank Schless, Senior Product Manager at security company Lookout, puts it like this:

"NFL picks aren't what we traditionally associate with valuable corporate data, however, they could be highly valuable to a malicious actor on Draft Day. Having this data stolen and shared out to the world ahead of that team's pick could alter the future of their organization.

As team personnel collaborate on Draft Day, they will be sharing data between multiple devices, exemplifying how employees access data fluidly between traditional endpoints and mobile devices with the adoption of cloud-based technologies. Ensuring that mobile devices are secured, both now and in the future, is just as detrimental to the future of every NFL team as any other enterprise organization.”

And cybersecurity specialist Jan Youngren of VPNpro points out that motivation levels are strong to hack a high stakes event like this. Weak passwords or those used repeatedly by teams or coaches could be a way in, because hackers may have them already.

"Most people have but a few passwords and most are hardly strong enough, meaning that [previously] compromised accounts could lead hackers straight to the NFL Draft."

And Youngren adds, beware of the insider threat:

"You may also recall that in 2016, a St. Louis Cardinals' scouting director pleaded guilty to unauthorized access of a Houston Astros computer."

The NFL's history of hacks and data breaches

Every organization has something of value and is a potential target. That is the reality today.

However, prominent organizations and their stars are really attractive targets. 

Consider the stories we've posted over the last few years on NFL-related hacks. Most of these attacks occurred against social media accounts, however, the NFL and its prominence was the draw for hackers:

NFL says cybersecurity is ready for the virtual player draft

While there is a lot of talk happening about the cybersecurity of the three- day NFL 2020 draft, the NFL told ThreatPost it is taking action to make things as secure as possible.

"We have spoken individually to each of the clubs about their setup. The clubs are ultimately responsible for their communication systems among their staff. We have provided best practices and also ran a successful mock draft...."

And now it's time for the real thing. This year, more than sports fans may be watching. The cybersecurity community may be tuning in as well.