A Champions final with tens of thousands of spectators in the stadium and millions following the broadcast; a massive concert with electronic systems managing access; even a local football match with the entire ticketing operation and subscriber data. Behind the sporting and musical euphoria, mass events face very real cybersecurity risks.
This post will be a “third-person analytical” post, where we will explore high-profile cases of cyberattacks in sporting events and extract what we see as valuable lessons we want to share with you.
We will see how cybercriminals play their own game by attacking infrastructures, stealing fan data, sabotaging broadcasts, or extorting with stolen tickets. Each incident leaves us with lessons applicable not only to future sporting events but also to sectors like retail or entertainment that share the need to protect critical operations under media spotlights.
Let's start with the Super Bowl, which is perhaps the most media-covered annual sporting event in the United States, and one of the most important in the world, making it also a “super target” for cybercriminals. As the game approaches, not only does excitement rise... so do attempts at scams and digital sabotage.
Days or weeks before, fake websites start circulating, emails promising exclusive tickets or official merchandise, and even emails impersonating the organization to steal data. It has already happened: in 2023, emails impersonated the event committee to deceive suppliers. People let their guard down due to the excitement of the moment, and that's where they attack.
But cyberattacks don't only target fans. In 2024, a company in charge of the stadium show suffered an attack that exposed personal data of more than 5,000 people. They didn't go after the NFL directly; they attacked a partner. That was enough. Since then, drills are conducted with dozens of companies, security forces, and partners to prepare for attacks: mass phishing, ransomware, data leaks, or even insider threats.
And yes, ransomware has also been present. In 2021, the San Francisco 49ers were attacked right on the weekend of the game. Although they weren't playing, the timing was too tempting for the attackers. Something similar happened at the 2018 Winter Olympics: malware slipped in during the opening ceremony and crashed the networks. Since then, many sports organizations have plan Bs: communications outside the main network, manual turnstiles, or teams ready to react if something fails.
Fans aren't safe either. In 2023, an external NBA provider was the victim of a cyberattack and data from newsletter subscribers was stolen. The NBA itself had to warn everyone about phishing risks. Although their systems were not touched, the scare was real. Moral: any link in the chain can be the entry point.
Back to Spain, the most recent case was led by Deportivo de La Coruña, which a few days ago was the victim of a cyberattack that compromised the database of its subscribers. The club itself confirmed that on May 16 they detected an intrusion in one of their cloud servers, which forced them to act quickly. The attackers managed to access personal data of thousands of members: name, surname, DNI, address, email, phone... In short, everything needed to launch targeted phishing campaigns or even more elaborate fraud attempts. Fortunately, the club assured that no financial data or passwords were accessed.
After containing the attack, Deportivo followed the correct steps: they notified the police and the Spanish Data Protection Agency, and sent an email to all their subscribers alerting them of what happened and asking for maximum caution against possible suspicious calls, emails, or messages. This is key. Because with just a name and phone number, a scammer can pretend to be from the club and ask for a “data verification” to renew the subscription or update the payment card. The club anticipated this risk well and communicated it clearly and transparently, which is a great lesson in crisis management: it is not just about containing the technical damage, but about preventing the incident from having a second life through social engineering.
The exact technical details are unknown, but when talking about a cloud intrusion, one can suspect anything from stolen credentials to unauthorized access through some poorly protected API. The truth is that, as in many other cases, the attack did not depend on the size of the club, but on its digital exposure. Nowadays, anyone can be a target for someone wanting to steal your database and sell it on forums. Fan data has value: it is used for spam campaigns, scams, or even extortion.
This case recalls another that happened not long ago. In October 2023, Real Sociedad also suffered a cyberattack, much more serious in terms of the type of data compromised. In that case, not only personal data but also bank accounts of members and shareholders were leaked. The attack was attributed to the ransomware group LockBit, which not only stole the information but also encrypted it, demanding a ransom. Real had to ask those affected to monitor their bank accounts and stay alert.
The comparison is clear: Deportivo and Real Sociedad were targets of different threats, but equally real, and both had to activate response mechanisms. This leads to an inevitable conclusion: football clubs, big or small, are today custodians of sensitive data, and have the same responsibility as any company regarding protection, communication, and regulatory compliance.
The Champions League and the Third Division share more than football: cyberattacks don't care about badges. And every incident, no matter how small, reminds us that cybersecurity is a match all professional sports actors (leagues, clubs, sponsors, and providers) are obliged to play.
In the end, the conclusion is clear: cybersecurity is now part of the game. Behind every big final, there's a team making sure nothing explodes in the digital world. And the key is not to wait for something to happen, but to rehearse beforehand and plug the gaps. Like training a key play before the big day.
What happened with Deportivo and Real Sociedad are not exceptions: they are clear signs that sports, like any other sector, need to take cybersecurity seriously. It's no longer just about protecting a server or patching a specific flaw, but about changing the entire approach to managing technology in organizations that, besides moving passions, handle personal data, money, and reputation in real time.
The lessons are clear: protect sensitive information as if it were gold (because it is), have a response plan ready for when something fails, and above all, notify those affected quickly and clearly. Something as simple as a well-written email sent on time can prevent hundreds of people from falling for a scam after a leak.
It's also essential to train the "crisis mode" in advance. What happens if the turnstiles fail or the payment systems go down on game day? What if the giant screen or scoreboard gets hacked? Like any event, improvising on the spot usually comes at a high cost. That's why many teams and leagues have started rehearsing these scenarios as if they were part of preseason.
And this doesn't only apply to sports. Anyone organizing a concert, a festival, a Black Friday, or a massive e-commerce campaign can learn from these cases. Because, in the end, the threats are the same and the audience's expectations too: that everything works, their data is safe, and no one tricks them with a fake email or a counterfeit ticket.
The big conclusion you all know is that cybersecurity is no longer just a technical thing in an isolated room. It's part of the show. If done well, it goes unnoticed. But if it fails, it can overshadow everything. That's why we have to accept that playing offense in security—preventing, simulating, educating—is as important as talent on the field, on stage, or behind an online store.
And if not, just ask those who thought Deportivo wasn't "an interesting target"... until someone took the subscriber database with a single click.
