TORONTO — Imagine the fallout if the NHL was hacked and its star players — think Sidney Crosby, Auston Matthews and Connor McDavid — had their home addresses, phone numbers and other personal information made accessible online.
It’s an all-too-familiar scenario for Canadian lacrosse player Kevin Crowley, who was among the victims of a data breach that affected Major League Lacrosse last summer, when a spreadsheet with the personal details of every player in the league and former players was mistakenly made available to an unintended audience.
"To be completely candid, we talked about it on our team and I don’t think anyone was all that surprised that something like that could have happened," said the 29-year-old New Westminster, B.C., native, who was a No. 1 draft pick in the MLL and the National Lacrosse League.
"As lacrosse players we’re not making millions of dollars a year, but I can imagine if an NHL or NFL or NBA player got their account hacked, that’d be a much bigger deal in terms of what they could probably take out of their accounts."
Cybersecurity has become a growing concern in sports leagues and players’ associations around the world in the wake of several data breaches and unrelenting waves of hacking attempts.
Just days before the MLL hack went public last August it was also revealed the Russian cyberespionage group Fancy Bears had obtained what it said was confidential medical data on soccer players who had drug exemptions for the 2010 World Cup. The group released a similar trove of documents about a year earlier that it said revealed drug test results of tennis star Serena Williams and others from the World Anti-Doping Agency. WADA confirmed at the time that it had been hacked.
On Wednesday, the U.K.-based cybersecurity company Darktrace announced it is now providing the NHL Players’ Association with an artificial intelligence-powered service to help protect player data such as personal contacts and contract details.
"For most sporting leagues, their information in many ways is their currency," said Darktrace spokesman David Masson.
"It’s the data about their organization, how they work, how they train, how they pay, how much they receive, it’s all in there and for many of them there’s potential of theft, reputational damage, there’s potential for the network to be brought down."
Stephen Frank, who has been the NHLPA’s director of technology and security since 2012, recalls there were no real hacking threats on the web back when he started on the job. In those days, each player in the league was set up with a dial-up internet account to stay in touch with the union.
Nowadays, there are huge concerns around social media-linked attacks and phishing attempts that involve being hacked after clicking on an innocent-looking link.
"These players are deep-pocketed, high net-worth individuals of some status, so whether it’s someone trying to exploit them through ransom or someone who wants to undermine the integrity of their online social media, phishing is generally still the most visited route of a bad actor," Frank said, adding the threats linked to social media are multi-faceted.
"There is the whole side of getting their account breached and taken over, there are impersonation accounts that can be very detrimental to a player’s brand and/or employability, but you also have a situation where you have followers retweeting and inserting nefarious links that will confer malware."
Given that today’s young players are digital natives who were typically active on social media before becoming stars, there’s an important need to educate about "proper online hygiene" and security trends, starting with a rookie orientation program, Frank said.
"Top to bottom, young players through old, I would say (all players) are very educated," he said.
"We also stress the importance of their brand, perhaps not only as a rookie but throughout their career and life after hockey as well. We take it very seriously, the players are well-educated from the day they step into the league from the day they depart."