Due to the sensitive personal information and proprietary data collected and generated in the course of sports betting, these systems are high-value targets for malicious cyber actors. Providers of sports betting services must ensure that their cybersecurity protocols and data privacy policies adequately protect their systems and users.
Cybersecurity and Data Privacy Risks Associated with Sports Betting
As sports betting becomes more pervasive, so do the cybersecurity and data privacy vulnerabilities that the industry presents. When placing a sports bet, bettors are required to disclose a large amount of personal information. This can include the individual’s date of birth, Social Security number, physical address, email address, financial and banking information, and location data. In addition to the data that users contribute to place bets, the platforms used to place bets also use and generate a lot of data about the sports themselves.
Most sports betting platforms allow bettors to bet on a wide variety of events such as which team will win the game, the score of a game, the performance of a certain player and whether a game will go into overtime. These bets remain open throughout the game, and the odds are driven by data. The data used to calculate these odds include statistics relating to the performance of the players and teams, the composition of the league, the time in the season which games are scheduled and other factors. The privacy and integrity of this data is crucial to a properly regulated sports gambling industry. If this data is compromised, it could have drastic effects both for bettors and for the integrity of the sports betting industry.
Due to the sensitive information that sports betting technology holds, these systems are ripe for cyberattack. Across the board, cyberattacks are on the rise. The highly valuable personal information held by sports gambling providers makes these companies catchy targets for malicious cyber actors. Malicious cyber actors have already executed hacks of similar gambling operations, such as lotteries and casinos, to access this type of information. In 2016, the United Kingdom’s national lottery was hacked, and more than 26,500 online lottery accounts were compromised. As a result of this attack, malicious cyber actors gained access to personal information of those individuals whose accounts were compromised.
In February 2020, MGM Resorts and Casino experienced a cyberattack in which 142 million individuals’ personal details were stolen and placed for sale on the dark web. Information accessed in the intrusion included private information about guests and players, including names, home addresses, phone numbers, emails and dates of birth. Moreover, there has already been one reported cyberattack on an online sports betting portal. In March 2020, the Oregon lottery had to shut down its online sports betting platform, SBTech Scoreboard, due to a suspected breach. Ultimately, no information was compromised in the attack because SBTech was able to take its systems offline and resolve the intrusion before the hackers accessed any of this data.
Best Practices for Cybersecurity and Data Privacy
Countries and companies that are operating sports betting platforms should invest in implementing cybersecurity and data privacy best practices. Cybersecurity best practices for these organizations align with general cybersecurity best practices and can include:
- Following best practices policies and procedures issued by government agencies and industry groups.
- Creating proactive connections with law enforcement agencies and third-party cybersecurity providers.
- Having in place cybersecurity incident response policies and procedures.
- Utilizing threat intelligence services (both public and private) to manage emerging threats.
- Adopting a “zero-trust” cybersecurity model so that there is equal importance placed on both stopping attacks and recovering from them.
- Ensuring that executives, including board members, are briefed on cyber threats and cybersecurity measures.
- Mandating multifactor identification for users and employees.
- Employing endpoint detection and response technologies.
- Investing in secure payment systems to process transactions.
Companies involved in sports betting should also be aware of any laws in their Country that concern safe storage of data as well as their obligations to consumers in the case of a data breach. Many Country’s data privacy regulations will cover obligations in both instances.
The bottom line is that cyber criminals, like any other criminals follow the money. This implies that the massive increase in sports betting in most Countries is bound to attract hackers looking to steal funds and disrupt platforms. Venue owners and operators as well as sports betting platforms are advised to take steps that would minimize the possibility of suffering cyberattacks.