Saturday 15 June 2013

Man City Hack: When Information is worth more than money

The Manchester City scouting database hack is close to my heart on two counts, it highlights the corporate espionage side of information security, and involves my other passion away from security, the beautiful game, football.

Funny but it's no laughing matter for MCFC

City Scouting Database Compromise is Clouded
What is clear is Manchester City officials believe their confidential scouting database, has been taken a rival club employee, but how this data was compromised is cloudy.  The City scouting data was stored in a cloud based (online) application called ProScout7. Scout7, a Midlands based company, were quick to deny their system had been hacked, and suggested the fault lied with City's scouts password management. In other words that either a City scout had not protected their username and password, or perhaps the PC the scout was using to access Scout7, had been compromised with a keylogger or trojan software, passing on the Scout7 account credentials to a rival scout. The released details on the cause are sketchy, and it is quite possible the ProScout7 system was hacked, but we can only speculate about the cause at this point. But one thing is for certain, the scouting information is very important to Manchester City football club, and it  is of value to their footballing competitors. 
When Information is worth more than money
City's scouting knowledge has a direct cash value, in that rival teams may be alerted and bid for the same players City are interested in, pushing up the transfer price. This easily could result in a transfer increase in the millions.  But there is another value, which is more than the transfer fee, it is that City want to beat rivals like Manchester United, Chelsea, and other European big spenders, in signing the best available players. Signing of players ahead of rivals, can make all the difference, and can decide the winners of titles.  If Robin Van Persie was signed by City instead of United last season, I am sure most footballing pundits would agree City would of won the title.

Case in point, as soon as City found out their database was compromised by a rival club,  they immediately took action, and signed two of their secret targets, Jesus Navas (£24m) and Fernandinho (£30m), before their rivals could muscle in.

 £24Million Navas

£30 Million Ferdandinho

In all, this is an interesting incident, as it highlights the real high steaks value of information, and the reality of corporate espionage in the UK. The incident also poses the usual set of security questions, starting with, when information is known to be a high value business asset, is the business really doing enough to protect that asset?   For example
  • Are the scouts using the scouting system adequately managed?
  • Are the scouts regularly receiving information security awareness training?
  • Does the Scouting application sufficiently protect the scouting database? Especially with access control, ensuring scouts only have access to information on a need to know basis.
  • Are the computers used by the scouts appropriately secured? i.e. Anti-Virus, Patch Management, and other end point security technologies
  • Is the third party scouting company adequately vetted and managed by City?
Even if the ProScout7 online application was found to be at fault, Manchester City are still responsible for ensuring Scout7, a third party company City entrust with their holy of holies data, are able to protect their scouting information in line with their valuation of it.

No comments: