Manchester United football club experienced a ransomware attack in late 2020. They were held to ransom for millions of pounds by cyberhackers who targeted the club’s computer systems and demanded payment to stop them from releasing sensitive data.
It is a difficult decision for any business – pay up or risk seeing highly sensitive information being wiped out or leaked into the public domain.
The club were clear from the start that the attack was very serious but it did not impact on their schedule of matches.
United brought in a team of technical experts to contain the attack and they informed the Police and the National Cyber Security Centre (NCSC).
The NCSC revealed that in 2019 an English Football league club was hit with a £5m ransomware demand. They were unable to access their CCTV or use entry turnstiles, but its’s not believed that they paid anything.
It took weeks of effort to get things back to normal following the attack and United could face fines of up to £18 million or two per cent of their total annual worldwide turnover from the Information Commissioner’s Office if the attack is found to have breached their fans’ data protection.
The NCSC has previously warned that there is a growing threat to sports clubs.
It took roughly 2 weeks for United IT staff and outside experts to regain control of the situation. It is believed they did not pay the attackers.
The episode was embarrassing for United and they are still under investigation by the Information Commissioner’s Office.
If you have any experiences with these scams do let me know, by email.